Ibm Cloud Pak For Business Automation vulnerabilities

24 known vulnerabilities affecting ibm/cloud_pak_for_business_automation.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL1HIGH3MEDIUM19LOW1

Vulnerabilities

Page 1 of 2

CVE-2025-36094HIGHCVSS 8.1v24.0.0v24.0.1+4 more2026-02-03

CVE-2025-36094 [MEDIUM] CWE-1284 CVE-2025-36094: IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 I IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length.

cvelistv5nvd

CVE-2025-36436MEDIUMCVSS 5.4v24.0.0v24.0.1+4 more2026-02-02

CVE-2025-36436 [MEDIUM] CWE-79 CVE-2025-36436: IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 I IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentiall

cvelistv5nvd

CVE-2025-36093HIGHCVSS 7.4v24.0.0v24.0.1+1 more2025-11-03

CVE-2025-36093 [MEDIUM] CWE-602 CVE-2025-36093: IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an attacker to access u IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an attacker to access unauthorized content or perform unauthorized actions using man in the middle techniques due to improper access controls.

cvelistv5nvd

CVE-2025-36092MEDIUMCVSS 6.5v24.0.0v24.0.1+1 more2025-11-03

CVE-2025-36092 [MEDIUM] CWE-1284 CVE-2025-36092: IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user t IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause a denial of service due to the improper validation of input length.

cvelistv5nvd

CVE-2025-36172MEDIUMCVSS 5.4v24.0.0v24.0.1+4 more2025-11-03

CVE-2025-36172 [MEDIUM] CWE-79 CVE-2025-36172: IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 I IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in

cvelistv5nvd

CVE-2025-36091MEDIUMCVSS 4.3v24.0.0v24.0.1+1 more2025-11-03

CVE-2025-36091 [MEDIUM] CWE-283 CVE-2025-36091: IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user t IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an authenticated user to cause dashboards to become inaccessible to legitimate users due to invalid ownership assignment.

cvelistv5nvd

CVE-2025-36023MEDIUMCVSS 6.5v24.0.0v24.0.1+2 more2025-08-08

CVE-2025-36023 [MEDIUM] CWE-639 CVE-2025-36023: IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 co IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key.

cvelistv5nvd

CVE-2024-41753MEDIUMCVSS 6.1v24.0.0v24.0.1+2 more2025-05-03

CVE-2024-41753 [MEDIUM] CWE-79 CVE-2024-41753: IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF004 and 24.0.1 through 24.0.1 IF001 is IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF004 and 24.0.1 through 24.0.1 IF001 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

cvelistv5nvd

CVE-2025-1838MEDIUMCVSS 6.5v24.0.0v24.0.1+2 more2025-05-03

CVE-2025-1838 [MEDIUM] CWE-602 CVE-2025-1838: IBM Cloud Pak for Business Automation 24.0.0 and 24.0.1 through 24.0.1 IF001 Authoring allows an IBM Cloud Pak for Business Automation 24.0.0 and 24.0.1 through 24.0.1 IF001 Authoring allows an authenticated user to bypass client-side data validation in an authoring user interface which could cause a denial of service.

cvelistv5nvd

CVE-2024-49348MEDIUMCVSS 6.5v18.0.0v18.0.1+13 more2025-02-05

CVE-2024-49348 [MEDIUM] CWE-266 CVE-2024-49348: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2 IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 allows restricting access to organizational data to valid contexts. The fact that tasks of type comment can be reassigned via API implicitly grants access to user queries in an unexpected context.

cvelistv5nvd

CVE-2024-52365MEDIUMCVSS 5.4v18.0.0v18.0.1+13 more2025-02-05

CVE-2024-52365 [MEDIUM] CWE-79 CVE-2024-52365: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2 IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially lead

cvelistv5nvd

CVE-2024-52364MEDIUMCVSS 5.4v18.0.0v18.0.1+13 more2025-02-05

CVE-2024-52364 [MEDIUM] CWE-79 CVE-2024-52364: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2 IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to

cvelistv5nvd

CVE-2024-31897MEDIUMCVSS 4.3≥ 18.0.0, ≤ 18.0.2≥ 19.0.1, ≤ 19.0.3+8 more2024-07-08

CVE-2024-31897 [MEDIUM] CWE-918 CVE-2024-31897: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2 IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2, 23.0.1, and 23.0.2 vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration o

cvelistv5nvd

CVE-2024-37528MEDIUMCVSS 5.4≥ 18.0.0, ≤ 18.0.2≥ 19.0.1, ≤ 19.0.3+8 more2024-07-08

CVE-2024-37528 [MEDIUM] CWE-79 CVE-2024-37528: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2 IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentiall

cvelistv5nvd

CVE-2023-50959MEDIUMCVSS 6.5v18.0.0v18.0.1+15 more2024-03-31

CVE-2023-50959 [MEDIUM] CWE-497 CVE-2023-50959: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2,19.0.1, 19.0.2, 19.0.3,20.0.1, 20.0.2, IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2,19.0.1, 19.0.2, 19.0.3,20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1,2 2.0.2, 23.0.1, and 23.0.2 may allow end users to query more documents than expected from a connected Enterprise Content Management system when configured to use a system account. IBM X-Force ID: 275938.

cvelistv5nvd

CVE-2023-35899CRITICALCVSS 9.8v18.0.0v18.0.1+13 more2024-03-21

CVE-2023-35899 [HIGH] CWE-1236 CVE-2023-35899: IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.

nvd

CVE-2023-38367MEDIUMCVSS 6.5v18.0.0v18.0.1+13 more2024-02-29

CVE-2023-38367 [MEDIUM] CWE-287 CVE-2023-38367: IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0 IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2) allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configura

nvd

CVE-2023-50947MEDIUMCVSS 5.4≥ 18.0.0, ≤ 18.0.2≥ 19.0.1, ≤ 19.0.3+7 more2024-02-04

CVE-2023-50947 [MEDIUM] CWE-79 CVE-2023-50947: IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. T IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 275665.

nvd

CVE-2023-40691MEDIUMCVSS 4.9v18.0.0v18.0.2+9 more2023-12-18

CVE-2023-40691 [MEDIUM] CWE-200 CVE-2023-40691: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2 IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 may reveal sensitive information contained in application configuration to developer and administrator users. IBM X-Force ID: 264805.

cvelistv5nvd

CVE-2023-35024HIGHCVSS 7.6v18.0.0v18.0.1+13 more2023-10-14

CVE-2023-35024 [MEDIUM] CWE-79 CVE-2023-35024: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2 IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials dis

cvelistv5nvd

1 / 2Next →