Cross-Site Scripting Vulnerability in IBM Business Automation Workflow
CVE-2025-36054

6.1MEDIUM

Key Information:

Vendor

IBM
Status
Business Automation Workflow Containers
Business Automation Workflow Traditional With Process Federation Server
Vendor
CVE Published:
6 November 2025

What is CVE-2025-36054?

IBM Business Automation Workflow is susceptible to cross-site scripting (XSS) attacks, which enable unauthenticated attackers to inject malicious JavaScript into the Web UI. This can lead to unauthorized modifications of site functionality, ultimately risking the disclosure of sensitive information such as user credentials during trusted sessions. It is crucial for users to apply the latest security updates as outlined in the vendor's advisory to mitigate these risks.

Affected Version(s)

Business Automation Workflow containers 24.0.0 <= 24.0.0-IF006

Business Automation Workflow containers 24.0.1 <= 24.0.1-IF004

Business Automation Workflow containers 25.0.0 <= 25.0.0-IF001

References

https://www.ibm.com/support/pages/node/7250261
vendor-advisorypatch

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-36054 : Cross-Site Scripting Vulnerability in IBM Business Automation Workflow