is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Metrics
Affected Vendors & Products
Solution
IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH67546. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. For IBM WebSphere Application Server Liberty 17.0.0.3 - 25.0.0.8 using the wasJmsServer-1.0, wasJmsSecurity-1.0, wasJmsClient-2.0, messagingServer-3.0, messagingSecurity-3.0, or messagingClient-3.0 feature(s): · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH67546 --OR-- · Apply Liberty Fix Pack 25.0.0.9 or later (targeted availability 3Q2025). Additional interim fixes may be available and linked off the interim fix download page.
Workaround
No workaround given by the vendor.
Link | Providers |
---|---|
https://www.ibm.com/support/pages/node/7242026 |
![]() ![]() |
Thu, 14 Aug 2025 06:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:* |
Tue, 12 Aug 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 12 Aug 2025 19:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |
Title | IBM WebSphere Application Server Liberty cross-site scripting | |
First Time appeared |
Ibm
Ibm websphere Application Server |
|
Weaknesses | CWE-79 | |
CPEs | cpe:2.3:a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:* cpe:2.3:a:ibm:websphere_application_server:25.0.0.7:*:*:*:liberty:*:*:* |
|
Vendors & Products |
Ibm
Ibm websphere Application Server |
|
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: ibm
Published:
Updated: 2025-08-12T19:46:11.373Z
Reserved: 2025-04-15T21:16:05.532Z
Link: CVE-2025-36000

Updated: 2025-08-12T19:45:57.778Z

Status : Analyzed
Published: 2025-08-12T20:15:30.360
Modified: 2025-08-14T01:29:01.043
Link: CVE-2025-36000

No data.

No data.