A business‑grade instance of IBM Infosphere Information Server releases 11.7.0.0 through 11.7.1.6 can store and display arbitrary JavaScript sent by a privileged user in the Web UI. The stored scripts execute in the browsers of other authenticated users, allowing exploitation of the normal user trust relationship and potentially revealing credentials or other sensitive data. This flaw is a typical stored cross‑site scripting vulnerability, classified as CWE‑79.

IBM’s InfoSphere Information Server product is affected, specifically versions 11.7.0.0 up to 11.7.1.6 inclusive. The vulnerability is tied to the Web UI component of the product and applies regardless of the underlying operating system. Users running any of these versions should consider themselves at risk.

The CVSS score of 4.8 indicates moderate risk with limited access requirements. EPSS is below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting low widespread exploitation probability. Attack execution requires a privileged user with access to the Web UI and the ability to create or edit content that will be stored. Once a privileged user injects malicious code, other authenticated users’ browsers will run it, so the attack vector is primarily internal and requires existing credentials or compromised accounts within the same environment.