A recently disclosed vulnerability, identified as CVE-2024-49785, has been found in IBM watsonx.ai, including its integration with IBM Cloud Pak for Data.
This vulnerability exposes users to cross-site scripting (XSS) attacks, potentially compromising sensitive information.
The issue arises from improper input neutralization in the Web UI of IBM watsonx.ai. Authenticated users can exploit this flaw to inject arbitrary JavaScript code into the application interface.
This could alter the intended functionality and lead to credential disclosure within a trusted session.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The vulnerability has been classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries a CVSS Base Score of 5.4, indicating moderate severity.
Affected Products and Versions
| Product | Version(s) |
| IBM watsonx.ai on Cloud Pak for Data | 4.8 – 5.0.3 |
| IBM watsonx.ai | 1.1 – 2.0.3 |
IBM strongly advises users to upgrade to the following fixed versions to mitigate the risk:
| Product | Fixed Version(s) |
| IBM watsonx.ai on IBM Software Hub | 5.1.0 and above |
| IBM watsonx.ai | 2.1.0 and above |
IBM advises all customers to subscribe to “My Notifications” for timely alerts about security updates and product support bulletins.
Additionally, users can refer to IBM’s Secure Engineering Web Portal and Product Security Incident Response Blog for further guidance.
This vulnerability was disclosed on January 10, 2025, and is remotely exploitable, requiring some user interaction for successful exploitation.
For more details on upgrading and securing your systems, visit IBM’s official security bulletin or consult the CVE database entry.
By addressing this issue proactively, organizations can prevent potential exploitation and safeguard their sensitive data from malicious actors.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
A newly disclosed security vulnerability in IBM Robotic Process Automation (RPA) has raised concerns about potential data…
Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by injecting…
Malware actors leverage popular platforms like YouTube and social media to distribute fake installers. Reputable…
The education and publishing giant Scholastic has fallen victim to a significant data breach affecting…
The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the path…
Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake proof-of-concept…