CVE-2024-49337 MEDIUM

CVE-2024-49337: IBM OpenPages HTML injection

Vendor Ibm
Product OpenPages with Watson
Weakness CWE-80 · XSS · basic
Published February 20, 2025
Last update August 15, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages is vulnerable to HTML injection, caused by improper validation of user-supplied input of text fields used to construct workflow email notifications. A remote authenticated attacker could exploit this vulnerability using HTML tags in a text field of an object to inject malicious script into an email which would be executed in a victim's mail client within the security context of the OpenPages mail message. An attacker could use this for phishing or identity theft attacks.

Key dates

02Disclosure timeline

February 20, 2025 CVE published
August 15, 2025 Record updated