IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
PUBLISHED5.2ApplicationCWE-79
IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities HTML / XSS Injection observed
Problem type
Affected products
IBM
Engineering Workflow Management
<= 7.0.3 Interim Fix 020 - AFFECTED
<= 7.1 Interim Fix 007 - AFFECTED
References
GitHub Security Advisories
GHSA-qx9x-w8gf-h8rf
IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1...
https://github.com/advisories/GHSA-qx9x-w8gf-h8rfIBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2025-33128Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-33128",
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"dateUpdated": "2026-06-22T13:20:14.904Z",
"dateReserved": "2025-04-15T17:51:11.505Z",
"datePublished": "2026-06-22T13:20:14.904Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm",
"dateUpdated": "2026-06-22T13:20:14.904Z"
},
"title": "IBM Engineering Lifecycle Management - Engineering Workflow Management is impacted by vulnerabilities HTML / XSS Injection observed",
"descriptions": [
{
"lang": "en",
"value": "IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "<p>IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>"
}
]
}
],
"affected": [
{
"vendor": "IBM",
"product": "Engineering Workflow Management",
"cpes": [
"cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.0.3:interim_fix_020:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.1:interim_fix_007:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_workflow_management:7.1.0:interim_fix_007:*:*:*:*:*:*"
],
"versions": [
{
"version": "7.0.3",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "7.0.3 Interim Fix 020"
},
{
"version": "7.1.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "7.1 Interim Fix 007"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7276116",
"tags": [
"vendor-advisory",
"patch"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
}
],
"solutions": [
{
"lang": "en",
"value": "Affected Product(s)Version(s)Remediation/Fix/Instructions\n\nIBM Engineering Lifecycle Management - Engineering Workflow Management\n\n7.0.3Download and install iFix021 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later\n\nIBM Engineering Lifecycle Management - Engineering Workflow Management\n\n7.1.0Download and install iFix008 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "<div><table><tbody><tr><td>Affected Product(s)</td><td>Version(s)</td><td>Remediation/Fix/Instructions</td></tr><tr><td><p>IBM Engineering Lifecycle Management - Engineering Workflow Management</p></td><td>7.0.3</td><td>Download and install <a href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.3&platform=All&function=fixId&fixids=7.0.3-IBM-ELM-iFix021&includeRequisites=0&includeSupersedes=0&downloadMethod=ddp\" rel=\"nofollow\">iFix021</a> or later</td></tr><tr><td><p>IBM Engineering Lifecycle Management - Engineering Workflow Management</p></td><td>7.1.0</td><td>Download and install <a href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.1&platform=All&function=fixId&fixids=7.1-IBM-ELM-iFix008&includeRequisites=0&includeSupersedes=0&downloadMethod=ddp\" rel=\"nofollow\">iFix008</a> or later</td></tr></tbody></table></div>"
}
]
}
]
}
}
}