Unrated severityNVD Advisory· Published Jul 13, 2021· Updated Sep 16, 2024

CVE-2021-20364

Description

IBM Cloud Pak for Applications 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 195035.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Cloud Pak for Applications 4.3 has a stored XSS flaw allowing an authenticated attacker to inject arbitrary JavaScript, potentially stealing credentials.

Vulnerability

IBM Cloud Pak for Applications version 4.3 is vulnerable to cross-site scripting (XSS). This flaw allows an authenticated user to embed arbitrary JavaScript code in the Web UI, altering intended functionality. The vulnerability affects all versions of IBM Cloud Pak for Applications 4.3 [1].

Exploitation

An attacker must have a valid user account with the ability to post or edit content in the Web UI. No special privileges beyond standard user access are required. The attack does not require user interaction beyond the victim viewing the crafted page; the injected script executes in the context of the victim's session [1].

Impact

Successful exploitation leads to disclosure of sensitive information, including credentials, within the trusted session of the victim. The attacker gains unauthorized access to data that the session can access, potentially compromising the integrity and confidentiality of the system. The CVSS base score is 5.4 (Medium) [1].

Mitigation

IBM has released a fix for this vulnerability. The remediation is included in the product without a separate APAR; users should update to the latest version of IBM Cloud Pak for Applications 4.3 per the vendor's instructions. No workarounds are available [1].

References

Security Bulletin: A vulnerability has been identified in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack.

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

IBM/Cloud Pak for Applicationsllm-fuzzy
Range: =4.3
IBM/Cloud Pak for Applicationsv5
Range: 4.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

exchange.xforce.ibmcloud.com/vulnerabilities/195035mitrevdb-entryx_refsource_XF
www.ibm.com/support/pages/node/6471339mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000