{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-36033", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-04-15T21:16:09.684Z", "datePublished": "2026-02-03T22:12:29.853Z", "dateUpdated": "2026-02-03T22:12:36.858Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:engineering_lifecycle_management___global_configuration_management:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:engineering_lifecycle_management___global_configuration_management:7.0.3:interim_fix_017:*:*:*:*:*:*", "cpe:2.3:a:ibm:engineering_lifecycle_management___global_configuration_management:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:engineering_lifecycle_management___global_configuration_management:7.1.0:interim_fix_004:*:*:*:*:*:*"], "product": "Engineering Lifecycle Management - Global Configuration Management", "vendor": "IBM", "versions": [{"lessThanOrEqual": "7.0.3 Interim Fix 017", "status": "affected", "version": "7.0.3", "versionType": "semver"}, {"lessThanOrEqual": "7.1.0 Interim Fix 004", "status": "affected", "version": "7.1.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>"}], "value": "IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-02-03T22:12:36.858Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7258063"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>IBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below:</p><p>IBM recommends customers on ELM 7.0.1, 7.0.2 or any version below 7.0.3 to upgrade your products to Maintenance release 7.0.3 and apply below fix.</p><p>Optionally, upgrade to the latest 7.2.0 version.</p><div><table><tbody><tr><td><strong>Affected Product(s)</strong></td><td><strong>Version(s)</strong></td><td><strong>Remediation/Fix/Instructions</strong></td></tr><tr><td><p>IBM Engineering Lifecycle Management - Jazz Foundation</p></td><td>7.0.3</td><td>Download and install <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&amp;product=ibm/Rational/IBM+Engineering+Lifecycle+Management&amp;release=7.0.3&amp;platform=All&amp;function=fixId&amp;fixids=7.0.3-IBM-ELM-iFix018&amp;includeRequisites=0&amp;includeSupersedes=0&amp;downloadMethod=ddp\">iFix018</a>&nbsp;or later</td></tr><tr><td><p>IBM Engineering Lifecycle Management - Jazz Foundation</p></td><td>7.1.0</td><td>Download and install <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&amp;product=ibm/Rational/IBM+Engineering+Lifecycle+Management&amp;release=7.1&amp;platform=All&amp;function=fixId&amp;fixids=7.1-IBM-ELM-iFix005&amp;includeRequisites=1&amp;includeSupersedes=0&amp;downloadMethod=ddp\">iFix005</a>&nbsp;or later</td></tr></tbody></table></div><br><br>"}], "value": "IBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below:\n\nIBM recommends customers on ELM 7.0.1, 7.0.2 or any version below 7.0.3 to upgrade your products to Maintenance release 7.0.3 and apply below fix.\n\nOptionally, upgrade to the latest 7.2.0 version.\n\nAffected Product(s)Version(s)Remediation/Fix/InstructionsIBM Engineering Lifecycle Management - Jazz Foundation\n\n7.0.3Download and install iFix018 https://www.ibm.com/support/fixcentral/swg/downloadFixes \u00a0or laterIBM Engineering Lifecycle Management - Jazz Foundation\n\n7.1.0Download and install iFix005 https://www.ibm.com/support/fixcentral/swg/downloadFixes \u00a0or later"}], "title": "IBM Engineering Lifecycle Management - Global Configuration Management is vulnerable to cross-site scripting", "x_generator": {"engine": "ibm-cvegen"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}], "id": "CVE-2025-36033", "lastModified": "2026-02-03T23:16:05.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-02-03T23:16:05.620", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7258063"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{}