Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2025-33104 Description: IBM WebSphere Application Server is affected by a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows users to embed arbitrary JavaScript code within the Web UI, potentially altering intended functionality and leading to credential exposure within trusted sessions. CVSS Score CVSS Source: IBM CVSS Base Score: 4.4 CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM WebSphere Application Server: - Version 9.0 - Version 8.5 Remediation Recommended Fix: IBM strongly recommends immediately applying the currently available interim fix or a fix pack that includes the APAR PH66028 fix. For IBM WebSphere Application Server Traditional Edition: - For versions V9.0.0.0 to 9.0.5.23: - Upgrade to the minimum fix pack level required by the interim fix, then apply the interim fix resolving PH66028. - Alternatively, apply Fix Pack 9.0.5.24 or later (expected to be available in Q2 2025). - For versions V8.5.0.0 to 8.5.5.27: - Upgrade to the minimum fix pack level required by the interim fix, then apply the interim fix resolving PH66028. - Alternatively, apply Fix Pack 8.5.5.28 or later (expected to be available in Q3 2025). Workarounds and Mitigations None References Complete CVSS v3 Guide Online Calculator v3 Additional Information IBM Security Engineering Web Portal IBM Product Security Incident Response Blog