CVE-2025-36033 — Cross-site Scripting in IBM Engineering Lifecycle Management Global Configuration Management

CWE-79 — Cross-site Scripting CWE-87 — Improper Neutralization of Alternate XSS Syntax5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 89.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Engineering Lifecycle Management Global Configuration Management IBM Engineering Lifecycle Management

Timeline

PublishedFeb 3

Latest updateFeb 4

Description

IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5ibm/engineering_lifecycle_management_global_configuration_management7.0.3 — 7.0.3 Interim Fix 017+1

▶NVDibm/engineering_lifecycle_management7.0.3, 7.1.0+1

🔴Vulnerability Details

GHSA

GHSA-mrxh-c37v-gc5w: IBM Engineering Lifecycle Management - Global Configuration Management 7↗2026-02-04

▶

CVEList

IBM Engineering Lifecycle Management - Global Configuration Management is vulnerable to cross-site scripting↗2026-02-03

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Platform Security (jsoup) — CVE-2022-36033↗2025-04-15

▶

Microsoft

jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled↗2022-08-09

▶