IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8

is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Fixes

Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH67546. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. For IBM WebSphere Application Server Liberty 17.0.0.3 - 25.0.0.8 using the wasJmsServer-1.0, wasJmsSecurity-1.0, wasJmsClient-2.0, messagingServer-3.0, messagingSecurity-3.0, or messagingClient-3.0 feature(s): · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH67546 --OR-- · Apply Liberty Fix Pack 25.0.0.9 or later (targeted availability 3Q2025). Additional interim fixes may be available and linked off the interim fix download page.


Workaround

No workaround given by the vendor.

History

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*

Tue, 12 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 12 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Title IBM WebSphere Application Server Liberty cross-site scripting
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-79
CPEs cpe:2.3:a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
cpe:2.3:a:ibm:websphere_application_server:25.0.0.7:*:*:*:liberty:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2025-08-12T19:46:11.373Z

Reserved: 2025-04-15T21:16:05.532Z

Link: CVE-2025-36000

cve-icon Vulnrichment

Updated: 2025-08-12T19:45:57.778Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-12T20:15:30.360

Modified: 2025-08-14T01:29:01.043

Link: CVE-2025-36000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.