CVE-2025-36172
📋 TL;DR
This stored XSS vulnerability in IBM Cloud Pak for Business Automation allows authenticated users to inject malicious JavaScript into the web interface. The injected code can execute in other users' browsers, potentially stealing session credentials or performing unauthorized actions. Affected versions include IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases.
💻 Affected Systems
- IBM Cloud Pak for Business Automation
- IBM Business Automation Workflow
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, gain full system access, and compromise the entire business automation environment.
Likely Case
Attackers steal user session tokens or credentials, leading to unauthorized access to business workflows and sensitive data.
If Mitigated
Limited to authenticated users only, with proper input validation and output encoding preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. Stored XSS means payload persists and affects multiple users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fixes: 25.0.0 Interim Fix 002, 24.0.1 Interim Fix 005, 24.0.0 Interim Fix 007
Vendor Advisory: https://www.ibm.com/support/pages/node/7250047
Restart Required: Yes
Instructions:
1. Download appropriate interim fix from IBM Fix Central. 2. Apply fix following IBM documentation. 3. Restart affected services. 4. Verify fix applied successfully.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side input validation and output encoding for all user-controllable fields in the web interface.
Content Security Policy
allImplement strict Content Security Policy headers to restrict script execution sources.
🧯 If You Can't Patch
- Restrict user permissions to minimum required, limiting who can create/modify content
- Implement web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check current version against affected versions list. Test for XSS by attempting to inject basic script payloads in user-controllable fields.Check Version:
Check IBM Cloud Pak version through administrative console or command line tools specific to your deployment.Verify Fix Applied:
Verify version is updated to patched version. Test XSS injection attempts to confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in user input fields
- Multiple failed XSS attempts
- Suspicious user activity patterns
Network Indicators:
- Unexpected external script loads in HTTP traffic
- Suspicious POST requests with script content
SIEM Query:
source="web_logs" AND (message="<script>" OR message="javascript:" OR message="onerror=" OR message="onload=")