HTML Injection Vulnerability in IBM OpenPages by IBM
CVE-2024-49337

5.4MEDIUM

Key Information:

Vendor: IBM
Status: Openpages With Watson
Vendor: CVE Published:; 20 February 2025

Summary

IBM OpenPages versions 8.3 and 9.0 are susceptible to an HTML injection vulnerability due to inadequate validation of user inputs in text fields employed to compose workflow email notifications. This flaw can be leveraged by remote authenticated attackers who include HTML tags in text fields of certain objects. As a result, malicious scripts can be injected into emails, which are executed in the context of the OpenPages mail client. This exploit potentially paves the way for phishing schemes and identity theft, posing significant security risks to users.

Affected Version(s)

OpenPages with Watson 8.3, 9.0

References

https://www.ibm.com/support/pages/node/7183541

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 20, 2025