CVE-2025-36054

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.1%

top 82.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Business Automation Workflow Containers IBM Business Automation Workflow Traditional With Process Federation Server IBM Business Automation Workflow +1 more

Timeline

PublishedNov 6

Description

IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5ibm/business_automation_workflow_traditional_with_process_federation_server24.0.0 — 24.0.1+1

▶CVEListV5ibm/business_automation_workflow_containers24.0.0 — 24.0.0-IF006+2

▶NVDibm/business_automation_workflow24.0.0, 24.0.1, 25.0.0+2

▶NVDibm/process_federation_server24.0.0, 24.0.1, 25.0.0+2

Patches

Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-954p-ff4g-qrwj: IBM Business Automation Workflow containers 24↗2025-11-06

▶

CVEList

Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server -↗2025-11-06

▶