CVE-2025-3630: Stored XSS Vulnerability in IBM Sterling B2B Integrator and File Gateway

IBM Sterling B2B Integrator and File Gateway are affected by a stored cross-site scripting (XSS) vulnerability. This could allow attackers to inject malicious scripts into the application and potentially steal user credentials.

Vulnerability Details

• CVE ID: CVE-2025-3630
• Description: IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 are vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
• CVSS Score: 6.4 MEDIUM
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
• CVSS Explanation: This CVSS vector indicates a vulnerability that can be exploited over the network with low complexity. An authenticated attacker with low privileges can inject malicious code that will execute in the context of other users, potentially leading to data theft.
• Exploit Requirements: Authenticated access to the IBM Sterling B2B Integrator or File Gateway web interface.
• Affected Vendor: IBM
• Affected Product: Sterling B2B Integrator, Sterling File Gateway
• Affected Versions: 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4
• CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Timeline of Events

• Reported: Unknown
• Published: 2025-07-08
• Awaiting Analysis: 2025-07-08

Exploitability & Real-World Risk

A successful exploit could allow an attacker to steal sensitive information, such as session cookies or credentials, from legitimate users. In a real-world attack chain, this could be used to gain unauthorized access to sensitive data or systems managed by the B2B Integrator or File Gateway.

Recommendations

• Apply the latest security patches and updates provided by IBM.
• Review user input validation and sanitization mechanisms in your web applications.
• Implement a strong Content Security Policy (CSP) to mitigate the risk of XSS attacks.

Technical Insight

The vulnerability stems from the application's failure to properly sanitize user-supplied input before displaying it in the web interface. This allows an attacker to inject malicious JavaScript code that will be executed in the victim's browser.

Credit to Researcher(s)

Vulnerability reported by IBM Security.

References

• IBM Security Advisory

Tags

CVE-2025-3630, IBM, Sterling B2B Integrator, File Gateway, XSS, Security Vulnerability

Summary: IBM Sterling B2B Integrator and File Gateway are vulnerable to stored cross-site scripting (XSS), allowing authenticated users to inject malicious JavaScript code, potentially leading to credentials disclosure. Apply the latest security patches to mitigate the risk.

CVE ID: CVE-2025-3630

Risk Analysis: Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data, modification of application functionality, and potential compromise of user accounts. The impact is significant due to the potential for data breach and disruption of business processes.

Recommendation: Apply the latest security patches provided by IBM. Additionally, review and improve user input validation and sanitization mechanisms to prevent further XSS vulnerabilities.

Timeline

• 2025-07-08: Vulnerability Published

References

• https://www.ibm.com/support/pages/node/7239095