CVE-2025-33104: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting (CVE-2025-33104). The vulnerability was discovered and disclosed on May 14, 2025, affecting the Web UI interface of the application server. This security flaw enables users to embed arbitrary JavaScript code in the Web UI, potentially compromising the intended functionality and leading to credentials disclosure within trusted sessions (IBM Security, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, has high attack complexity, needs low privileges, requires user interaction, and has a changed scope. The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (IBM Security).

The vulnerability can lead to credentials disclosure within trusted sessions when successfully exploited. The impact assessment shows low confidentiality and integrity impact, with no effect on availability. The cross-site scripting vulnerability allows attackers to alter the intended functionality of the Web UI through embedded malicious JavaScript code (IBM Security).

IBM recommends addressing the vulnerability by applying currently available interim fixes or fix packs containing the fix for APAR PH66028. For WebSphere Application Server V9.0.0.0 through 9.0.5.23, users should either upgrade to Fix Pack 9.0.5.24 or later (targeted for 2Q2025) or apply the Interim Fix for PH66028. For V8.5.0.0 through 8.5.5.27, users should upgrade to Fix Pack 8.5.5.28 or later (targeted for 3Q2025) or apply the Interim Fix for PH66028. No workarounds are available for this vulnerability (IBM Security).