CVE-2024-49337

Name of the Vulnerable Software and Affected Versions IBM OpenPages with Watson versions 8.3 through 9.0

Description The issue is caused by improper validation of user-supplied input of text fields used to construct workflow email notifications, leading to HTML injection. A remote authenticated attacker could exploit this by using HTML tags in a text field of an object to inject malicious script into an email, which would be executed in a victim's mail client within the security context of the OpenPages mail message. This could be used for phishing or identity theft attacks.

Recommendations For IBM OpenPages with Watson versions 8.3 through 9.0, consider disabling the use of HTML tags in text fields of objects until a patch is available to prevent malicious script injection. Restrict access to workflow email notifications to minimize the risk of exploitation. Avoid using vulnerable text fields in objects to construct workflow email notifications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.