A recently disclosed vulnerability, identified as CVE-2024-49785, has been found in IBM watsonx.ai, including its integration with IBM Cloud Pak for Data.
This vulnerability exposes users to cross-site scripting (XSS) attacks, potentially compromising sensitive information.
The issue arises from improper input neutralization in the Web UI of IBM watsonx.ai. Authenticated users can exploit this flaw to inject arbitrary JavaScript code into the application interface.
This could alter the intended functionality and lead to credential disclosure within a trusted session.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The vulnerability has been classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries a CVSS Base Score of 5.4, indicating moderate severity.
Affected Products and Versions
| Product | Version(s) |
| IBM watsonx.ai on Cloud Pak for Data | 4.8 – 5.0.3 |
| IBM watsonx.ai | 1.1 – 2.0.3 |
IBM strongly advises users to upgrade to the following fixed versions to mitigate the risk:
| Product | Fixed Version(s) |
| IBM watsonx.ai on IBM Software Hub | 5.1.0 and above |
| IBM watsonx.ai | 2.1.0 and above |
IBM advises all customers to subscribe to “My Notifications” for timely alerts about security updates and product support bulletins.
Additionally, users can refer to IBM’s Secure Engineering Web Portal and Product Security Incident Response Blog for further guidance.
This vulnerability was disclosed on January 10, 2025, and is remotely exploitable, requiring some user interaction for successful exploitation.
For more details on upgrading and securing your systems, visit IBM’s official security bulletin or consult the CVE database entry.
By addressing this issue proactively, organizations can prevent potential exploitation and safeguard their sensitive data from malicious actors.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Brinker, an innovative narrative intelligence platform dedicated to combating disinformation and influence campaigns, has been…
A recent investigation by cybersecurity researchers has uncovered a large-scale malware campaign leveraging the DeepSeek…
A recent malware campaign has been observed targeting the First Ukrainian International Bank (PUMB), utilizing…
A newly discovered malware, dubbed Trojan.Arcanum, is targeting enthusiasts of tarot, astrology, and other esoteric…
A sophisticated phishing campaign orchestrated by a Russian-speaking threat actor has been uncovered, revealing the…
A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, leveraging fileless techniques to deploy…
