Impact
IBM watsonx.data intelligence 5.2.0 to 5.3.0 contains an improper input validation flaw that allows an authenticated user to inject arbitrary JavaScript into the web interface. The injected code runs with the privileges of the logged‑in user, enabling an attacker to capture session data or perform other malicious actions, which can lead to credential disclosure or other unauthorized activities.
Affected Systems
The affected product is IBM watsonx.data intelligence. Versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0 are impacted. IBM has released a fix in the 5.2.0 – 5.3.05.3.1 release and later.
Risk and Exploitability
The CVSS score of 5.4 places this flaw in the medium severity range. The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating limited evidence of exploitation in the wild. Attackers must first authenticate to the Watsonx data intelligence web UI, so the attack vector is limited to authorized users. Overall, the risk is moderate, but the potential to expose user credentials or session tokens warrants prompt remediation.
OpenCVE Enrichment