CVE-2025-33128 - Vulnerability Details

Description

IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Published: 2026-06-22

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A cross‑site scripting vulnerability exists in IBM Engineering Workflow Management. An authenticated user can embed arbitrary JavaScript into the Web UI, altering intended functionality and potentially revealing session credentials to the attacker.

Affected Systems

IBM Engineering Workflow Management versions 7.0.3 through 7.0.3 Interim Fix 020 and 7.1 through 7.1 Interim Fix 007 are affected. The vulnerability is present in the listed versions of the product and is fixed in newer releases via interim fixes.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate level of risk, and the vulnerability is not listed in the CISA KEV catalog. The EPSS score is unavailable, but the lack of a publicly documented exploit and the requirement for an authenticated session suggest a limited likelihood of exploitation. The most probable attack vector involves an authorized user with sufficient privileges within the Web UI, who could inject malicious scripts to compromise session credentials. Proper role‑based access controls and timely application of the disclosed interim fixes can mitigate this threat.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Engineering Workflow Management

affected

Version	Status	Constraints
`7.0.3`	affected	≤ 7.0.3 Interim Fix 020
`7.1.0`	affected	≤ 7.1 Interim Fix 007

No data.

No data available yet.

Remediation

Vendor Solution

Affected Product(s)Version(s)Remediation/Fix/Instructions IBM Engineering Lifecycle Management - Engineering Workflow Management 7.0.3Download and install iFix021 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later IBM Engineering Lifecycle Management - Engineering Workflow Management 7.1.0Download and install iFix008 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later

OpenCVE Recommended Actions

Download and install iFix021 for IBM Engineering Workflow Management 7.0.3 or later via IBM Fix Central
Download and install iFix008 for IBM Engineering Workflow Management 7.1.0 or later via IBM Fix Central
Restrict Web UI access to users with minimal required privileges to reduce the risk of an authenticated attacker exploiting the vulnerability

Generated by OpenCVE AI on June 22, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.ibm.com/support/pages/node/7276116

History

Mon, 22 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Title		IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities HTML / XSS Injection observed
First Time appeared		Ibm Ibm engineering Workflow Management
Weaknesses		CWE-79
CPEs		cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:::::::* cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:interim_fix_020:::::: cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:::::::* cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:interim_fix_007:::::: cpe:2.3:a:ibm:engineering_workflow_management:7.1:::::::* cpe:2.3:a:ibm:engineering_workflow_management:7.1:interim_fix_007::::::
Vendors & Products		Ibm Ibm engineering Workflow Management
References		https://www.ibm.com/support/pages/node/7276116
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Ibm Engineering Workflow Management

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-06-22T13:20:14.904Z

Updated: 2026-06-22T13:20:14.904Z

Reserved: 2025-04-15T17:51:11.505Z

Link: CVE-2025-33128

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T14:30:05Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object