CVE-2025-33128
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
An XSS vulnerability in IBM Engineering Workflow Management allows an authenticated user to embed arbitrary JavaScript code in the Web UI, potentially leading to credential disclosure within a trusted session.
Risk Assessment
An attacker could hijack another user's session, steal their login credentials, or perform unauthorized actions in the victim's context.
Recommendation
Apply the available fixes (Interim Fix 020 for version 7.0.3 or Interim Fix 007 for version 7.1) immediately and restrict user privileges to the minimum necessary.
Original NVD description (English source)
IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

