CVE-2025-36172

IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Published: Nov 3, 2025
Updated: Nov 4, 2025
CVE: CVE-2025-36172
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.4
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
ibm / cloud_pak_for_business_automation	24.0.0	24.0.0.x
ibm / cloud_pak_for_business_automation	24.0.0-interim_fix_001	24.0.0-interim_fix_001.x
ibm / cloud_pak_for_business_automation	24.0.0-interim_fix_002	24.0.0-interim_fix_002.x
ibm / cloud_pak_for_business_automation	24.0.0-interim_fix_003	24.0.0-interim_fix_003.x
ibm / cloud_pak_for_business_automation	24.0.0-interim_fix_004	24.0.0-interim_fix_004.x
ibm / cloud_pak_for_business_automation	24.0.0-interim_fix_005	24.0.0-interim_fix_005.x
ibm / cloud_pak_for_business_automation	24.0.0-interim_fix_006	24.0.0-interim_fix_006.x
ibm / cloud_pak_for_business_automation	24.0.1	24.0.1.x
ibm / cloud_pak_for_business_automation	24.0.1-interim_fix_001	24.0.1-interim_fix_001.x
ibm / cloud_pak_for_business_automation	24.0.1-interim_fix_002	24.0.1-interim_fix_002.x
ibm / cloud_pak_for_business_automation	24.0.1-interim_fix_004	24.0.1-interim_fix_004.x
ibm / cloud_pak_for_business_automation	25.0.0	25.0.0.x
ibm / cloud_pak_for_business_automation	25.0.0-interim_fix_001	25.0.0-interim_fix_001.x

https://www.ibm.com/support/pages/node/7250047

Vulnerability Database

300,214

CVE-2025-36172

Deep Security Visibility Without the Complexity