CVE-2024-49337: IBM OpenPages HTML injection
Description
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages
is vulnerable to HTML injection, caused by improper validation of user-supplied input of text fields used to construct workflow email notifications. A remote authenticated attacker could exploit this vulnerability using HTML tags in a text field of an object to inject malicious script into an email which would be executed in a victim's mail client within the security context of the OpenPages mail message. An attacker could use this for phishing or identity theft attacks.
Classification
CVE ID: CVE-2024-49337
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.4
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected Products
Vendor: IBM
Product: OpenPages with Watson
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 6.27% (scored less or equal to compared to others)
EPSS Date: 2025-03-21 (when was this score calculated)