IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
"}],"value":"IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-22T13:20:14.904Z","orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7276116"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":""}],"value":"Affected Product(s)Version(s)Remediation/Fix/Instructions\n\nIBM Engineering Lifecycle Management - Engineering Workflow Management\n\n7.0.3Download and install iFix021 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later\n\nIBM Engineering Lifecycle Management - Engineering Workflow Management\n\n7.1.0Download and install iFix008 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later"}],"title":"IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities HTML / XSS Injection observed","x_generator":{"engine":"ibm-cvegen"}}},"cveMetadata":{"assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","assignerShortName":"ibm","cveId":"CVE-2025-33128","datePublished":"2026-06-22T13:20:14.904Z","dateReserved":"2025-04-15T17:51:11.505Z","dateUpdated":"2026-06-22T13:20:14.904Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-22 14:16:22","lastModifiedDate":"2026-06-22 17:09:39","problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"33128","Ordinal":"1","Title":"IBM Engineering Lifecycle Management - Engineering Workflow Mana","CVE":"CVE-2025-33128","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"33128","Ordinal":"1","NoteData":"IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.","Type":"Description","Title":"IBM Engineering Lifecycle Management - Engineering Workflow Mana"}]}}}