LiveActive security incident?Get immediate response
CVE Record

CVE-2019-4226: IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting.

IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159243.

MediumCVSS 5.4Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

IBM Cloud Pak System has a Web UI cross-site scripting issue that can let a logged-in user embed JavaScript. If another trusted user interacts with affected content, the script could alter the UI and expose credentials within that session.

Executive priority

Handle in normal vulnerability remediation cycles unless the Web UI is broadly exposed or used by many privileged users. Prioritize faster if administrative credentials could be affected or exposure extends beyond trusted internal networks.

Technical view

CVE-2019-4226 is a network-reachable XSS vulnerability in IBM Cloud Pak System Web UI. The CVSS 3.0 score is 5.4, with low complexity, low privileges required, user interaction required, changed scope, and low confidentiality and integrity impact.

Likely exposure

Exposure is most relevant where IBM Cloud Pak System Web UI is reachable by users beyond a tightly controlled administrator group. The source bundle is inconsistent on exact versions: the description lists 2.3 and 2.3.0.1, while the affected array also mentions 2.2.

Exploitation context

The bundle reports exploit maturity as high in the CVSS vector, but it does not cite CISA KEV listing or confirmed active exploitation. Treat this as a credible XSS risk, not as source-confirmed active exploitation.

Researcher notes

Available evidence supports XSS with credential disclosure potential in a trusted session. The sources do not provide exploit procedure details here, and version evidence is inconsistent. Validate affected releases directly against IBM’s advisory before scoping remediation.

Mitigation direction

  • Review IBM advisory and X-Force entry for vendor remediation details.
  • Apply IBM-recommended updates or fixes after confirming the affected release.
  • Restrict Web UI access to trusted administrators and management networks.
  • Review session and credential-handling controls for administrative users.

Validation and detection

  • Inventory IBM Cloud Pak System deployments and record exact versions.
  • Confirm whether versions 2.3, 2.3.0.1, or 2.2 are present.
  • Verify whether IBM remediation has been applied through change records.
  • Check whether the Web UI is reachable from untrusted networks.
  • Review security logs for unusual Web UI activity or credential-related alerts.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2019-4226 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.4 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/A:N/S:C/I:L/AC:L/AV:N/C:L/UI:R/PR:L/RC:C/RL:O/E:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.4CVSS 3.0MediumCVSS:3.0/A:N/S:C/I:L/AC:L/AV:N/C:L/UI:R/PR:L/RC:C/RL:O/E:H2.32.7Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

5.4Medium
CVSS 3.0 vector shape for CVE-2019-4226Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/A:N/S:C/I:L/AC:L/AV:N/C:L/UI:R/PR:L/RC:C/RL:O/E:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
IBMCloud Pak System2.3, 2.2Listed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.