PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-13702 IBM CVE debrief

CVE-2025-13702 is a medium-severity cross-site scripting (XSS) issue in IBM Sterling Partner Engagement Manager. According to the CVE description, an authenticated user can embed arbitrary JavaScript in the Web UI, which can alter intended application behavior and may expose credentials within a trusted session. The CVE was published on 2026-03-13 and later modified on 2026-05-10.

Vendor
IBM
Product
CVE-2025-13702
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-13
Original CVE updated
2026-05-10
Advisory published
2026-03-13
Advisory updated
2026-05-10

Who should care

IBM Sterling Partner Engagement Manager administrators, security teams, and anyone operating the affected 6.2.3.x or 6.2.4.x releases should prioritize this issue, especially environments where authenticated users can access the Web UI.

Technical summary

NVD maps the issue to CWE-79 and lists the vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The affected IBM Sterling Partner Engagement Manager ranges in the supplied record are 6.2.3 through before 6.2.3.6 and 6.2.4 through before 6.2.4.3, matching the vendor-described affected releases 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2. The impact described in the source is browser-side script execution in a trusted session, with potential credential disclosure and manipulation of UI behavior.

Defensive priority

Medium. This is not a remote code execution issue, but authenticated XSS can still expose sensitive data, hijack sessions, or change user actions inside a trusted admin workflow. Prioritize if the product is internet-facing, broadly used by privileged operators, or lacks strong output encoding and Content Security Policy protections.

Recommended defensive actions

  • Review IBM's vendor advisory and apply the first fixed release for your branch once available.
  • Upgrade out of the affected ranges: 6.2.3.x installations should move to at least 6.2.3.6, and 6.2.4.x installations should move to at least 6.2.4.3 per the NVD criteria.
  • Audit the Web UI for input handling, output encoding, and any user-controlled fields that may reach HTML or JavaScript contexts.
  • Restrict authenticated access to the Web UI to only required users and administrative networks until remediation is complete.
  • Use strong session protections such as secure cookie settings and short session lifetimes to reduce the value of a successful XSS attack.
  • Validate that any compensating controls, such as CSP or server-side sanitization, are actually enforced in production.

Evidence notes

Primary facts come from the NVD record for CVE-2025-13702 and the IBM PSIRT vendor advisory link referenced in that record. The NVD entry identifies CWE-79 and provides the affected CPE ranges and CVSS vector. The vendor description states the issue is an authenticated XSS that can embed arbitrary JavaScript in the Web UI and potentially disclose credentials within a trusted session.

Official resources

Published by the CVE program on 2026-03-13 and modified on 2026-05-10. No KEV date was supplied in the provided enrichment data.