CVE-2025-36033 PUBLISHED

IBM Engineering Lifecycle Management - Global Configuration Management is vulnerable to cross-site scripting

Assigner: ibm
Reserved: 15.04.2025 Published: 03.02.2026 Updated: 04.02.2026

IBM Engineering Lifecycle Management - Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	IBM
Product	Engineering Lifecycle Management - Global Configuration Management
Versions	affected from 7.0.3 to 7.0.3 Interim Fix 017 (incl.) affected from 7.1.0 to 7.1.0 Interim Fix 004 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below:

IBM recommends customers on ELM 7.0.1, 7.0.2 or any version below 7.0.3 to upgrade your products to Maintenance release 7.0.3 and apply below fix.

Optionally, upgrade to the latest 7.2.0 version.

Affected Product(s)Version(s)Remediation/Fix/InstructionsIBM Engineering Lifecycle Management - Jazz Foundation

7.0.3Download and install iFix018 https://www.ibm.com/support/fixcentral/swg/downloadFixes or laterIBM Engineering Lifecycle Management - Jazz Foundation

7.1.0Download and install iFix005 https://www.ibm.com/support/fixcentral/swg/downloadFixes or later

References

https://www.ibm.com/support/pages/node/7258063

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE