CVE-2025-36000: 
IBM WebSphere Application Server vulnerability analysis and mitigation

CVE-2025-36000 is a stored cross-site scripting vulnerability affecting IBM WebSphere Application Server Liberty versions 17.0.0.3 through 25.0.0.8. The vulnerability was discovered and disclosed on August 12, 2025, with initial analysis by NIST completed on August 13, 2025 (NVD, IBM Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects systems with the adminCenter-1.0 feature enabled. It has received a CVSS v3.1 base score of 4.8 (MEDIUM) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while IBM assessed it with a score of 4.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N (NVD).

This vulnerability allows privileged users to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure within a trusted session. The impact is characterized by low confidentiality and integrity breaches, with no effect on availability (IBM Advisory).

IBM recommends addressing the vulnerability by either applying an interim fix containing the fix for APAR PH66669 or upgrading to Liberty Fix Pack 25.0.0.9 or later (targeted availability 3Q2025). No workarounds are available for this vulnerability (IBM Advisory).