We use cookies to improve your experience on our site.
AVID-2026-R0029
Description
IBM watsonx.ai cross-site scripting
Details
IBM watsonx.ai 1.1 through 2.0.3 and IBM watsonx.ai on Cloud Pak for Data 4.8 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
References
Affected or Relevant Artifacts
- Developer: IBM
- Deployer: IBM
- Artifact Details:
| Type | Name |
|---|---|
| System | watsonx.ai |
| System | watsonx.ai on Cloud Pak for Data |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| Base Score | 5.4 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | 🟢 Low |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-79 | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-01-12
- Version: 0.2
- AVID Entry