IBM Sterling B2b Integrator

Info Disclosure via Detailed Errors in IBM Sterling B2B Integrator/FG 6.x
CVE-2025-36348 4.9 - Medium - February 17, 2026

IBM Sterling B2B Integrator versions 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 through 6.2.1.1, and IBM Sterling File Gateway versions 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 through 6.2.1.1 may expose sensitive information to a remote privileged attacker due to the application returning detailed technical error messages in the browser.

Generation of Error Message Containing Sensitive Information

IBM Sterling B2B/FG 6.x Sensitive Cookie SameSite Disclosure
CVE-2025-36134 3.7 - Low - November 25, 2025

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie.

Sensitive Cookie with Improper SameSite Attribute

CVE-2025-36112 - IBM Sterling B2B Integrator/File Gateway 6.2.1.1 IP Info Disclosure
CVE-2025-36112 5.3 - Medium - November 24, 2025

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

IBM Sterling B2B & File Gateway 6.0-6.2.1.x Auth XSS in Web UI Credential Leak
CVE-2025-36135 5.4 - Medium - November 07, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Intgr. 6.2.x Credential Exposure
CVE-2025-36002 5.5 - Medium - October 16, 2025

IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.

Password in Configuration File

IBM Sterling B2B/FG 6.0–6.2.1 – Info Disclosure CVE-2025-2988
CVE-2025-2988 2.7 - Low - August 19, 2025

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7, 6.2.0.0 through 6.2.0.4, and 6.2.1.0 could disclose sensitive server information to an unauthorized user that could aid in further attacks against the system.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

IBM Sterling B2B/File Gateway <=6.2.0.4 Referrer Leak Remote Attacker
CVE-2025-33014 6.1 - Medium - July 18, 2025

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.4 uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims web browser.

tabnabbing

IBM Sterling B2B Integrator XSS in Web UI 6.0-6.2
CVE-2025-2793 5.4 - Medium - July 08, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator XSS 6.0.0.0–6.2.0.4 (Authenticated Users)
CVE-2025-3630 5.4 - Medium - July 08, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling File Gateway 6.0–6.2 CSRF Vulnerability in Authenticated Sessions
CVE-2024-54172 4.3 - Medium - June 18, 2025

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Session Riding

IBM Sterling B2B Integrator / File Gateway 6.0-6.2: Local user can exfil cache
CVE-2025-1348 4 - Medium - June 18, 2025

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 could allow a local user to obtain sensitive information from a users web browser cache due to not using a suitable caching policy.

Use of Web Browser Cache Containing Sensitive Information

IBM Sterling B2B Integrator & File Gateway <=6.2.0.4 Web UI XSS
CVE-2025-1349 4.8 - Medium - June 18, 2025

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator XSS v6.0.0.0-6.2.0.4
CVE-2024-54183 5.4 - Medium - June 18, 2025

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator XSS via Web UI (6.0-6.2)
CVE-2024-56338 4.8 - Medium - March 11, 2025

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator Std Edition <6.2.0.3 Privileged DB Info Disclosure
CVE-2024-52905 2.7 - Low - March 10, 2025

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 could disclose sensitive database information to a privileged user.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

IBM Sterling B2B Integrator XSS (6.0.0.0-6.1.2.5, 6.2.0.0-6.2.0.3) Store-XSS
CVE-2024-49807 5.4 - Medium - January 31, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Igr 6.x Auth XSS injects arbitrary JS (CVE-2024-47116)
CVE-2024-47116 5.4 - Medium - January 31, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator 6.0-6.2.0.3 Web UI XSS via privileged user
CVE-2024-47103 5.4 - Medium - January 31, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator 6.06.2 EBICS filename disclosure (CVE202445089)
CVE-2024-45089 4.3 - Medium - January 31, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an observable discrepancy.

Side Channel Attack

CVE-2024-40696: IBM Sterling B2B Integrator XSS (Privileged User)
CVE-2024-40696 5.4 - Medium - January 31, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator 6.06.2.0.3 CSRF Vulnerability
CVE-2023-38739 8.8 - High - January 31, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Session Riding

Dashboard UI info disclosure via MITM in IBM Sterling B2B Integrator <6.2.1
CVE-2024-27263 5.3 - Medium - January 28, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 could allow an authenticated user to obtain sensitive information from the dashboard UI using man in the middle techniques.

Man-in-the-Middle / MITM

IBM Sterling B2B Integrator SQLi 6.0-6.2
CVE-2023-50316 9.8 - Critical - January 28, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

SQL Injection

Cross-site Scripting in IBM Sterling B2B Integrator 6.0.0.06.2.0.0 Web UI
CVE-2023-32340 5.4 - Medium - January 23, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator 6.0.0.0-6.2.x Vulnerable to Stored XSS in Web UI
CVE-2023-50309 5.4 - Medium - January 23, 2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator RCE via Deserialization 6.0.0.0-6.2.0.2
CVE-2024-31903 8.8 - High - January 22, 2025

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the deserialization of untrusted data.

Marshaling, Unmarshaling

IBM Sterling B2B Integrator 6.06.2 Stored XSS in Web UI (pre6.2.0.3)
CVE-2024-31914 6.4 - Medium - January 06, 2025

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

Stored XSS in IBM Sterling B2B Integrator Standard 6.0-6.2 via Web UI
CVE-2024-31913 5.4 - Medium - January 06, 2025

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B Integrator Standard Edition XSS Vulnerability in Web UI
CVE-2021-20553 5.4 - Medium - December 19, 2024

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS

IBM Sterling B2B SI 6.06.1.2.5/6.26.2.0.2: HTTP Resp Info Leak
CVE-2023-42010 3.7 - Low - July 17, 2024

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 could disclose sensitive information in the HTTP response using man in the middle techniques. IBM X-Force ID: 265507.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

IBM Sterling B2B Integrator SE 6.1/6.2 UI Frame Restriction Bypass
CVE-2023-42011 5.4 - Medium - June 27, 2024

IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: 265508.

Clickjacking

IBM Sterling B2B Integrator XSS before 6.2.0.2
CVE-2023-42014 5.4 - Medium - June 27, 2024

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.2.0.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 265511.

XSS

IBM Sterling B2B Integrator 6.x XSS in Web UI; credentials risk
CVE-2024-22357 5.4 - Medium - April 12, 2024

IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.9, 6.1.0.0 through 6.1.2.3, and 6.2.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 280894.

XSS in IBM Sterling B2B Integrator 6.06.2 Web UI leads to credential disclosure
CVE-2023-50307 5.4 - Medium - April 12, 2024

IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.9, 6.1.0.0 through 6.1.2.3, and 6.2.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 273338.

XSS

IBM Sterling B2B Integrator 6.0-6.2 XSS in Web UI allows JS injection
CVE-2023-45186 5.4 - Medium - April 12, 2024

IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.9, 6.1.0.0 through 6.1.2.3, and 6.2.0.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 268691.

XSS

IBM Sterling B2B Integrator 6.0-6.1: Authenticated DoS via Resource Exhaustion
CVE-2023-32341 6.5 - Medium - February 09, 2024

IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 could allow an authenticated user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 255827.

Resource Exhaustion

IBM Sterling B2B Integrator 6.x insecure auth cookie secure flag
CVE-2023-42016 4.3 - Medium - February 09, 2024

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 265559.

Cleartext Transmission of Sensitive Information

IBM Sterling B2B Integrator SE Log Disclosure 6.0-6.1
CVE-2023-25682 5.5 - Medium - November 22, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.1 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 247034.

Insertion of Sensitive Information into Log File

IBM Sterling B2B Integrator 6.1.2.1 CSRF Vulnerability
CVE-2022-35638 8.8 - High - November 22, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 230824.

IBM Sterling B2B Integrator SE 6.0.x-6.1.x Privileged Info Disclosure
CVE-2023-22876 6.5 - Medium - March 15, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.1 could allow a privileged user to obtain sensitive information that could aid in further attacks against the system. IBM X-Force ID: 244364.

IBM Sterling B2B Integrator XSS in Web UI (v6.0.0-6.1.2)
CVE-2022-43578 5.4 - Medium - February 22, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 238683.

XSS

IBM Sterling B2B 6.0-6.1 Improper ACL Enables Auth'd Unauthorized Actions
CVE-2022-40231 8.8 - High - February 17, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.0 could allow an authenticated user to perform unauthorized actions due to improper access controls. IBM X-Force ID: 235533.

IBM Sterling B2B Integrator v6.1.0.0-6.1.2.0 Improper Permission Control
CVE-2022-40232 8.8 - High - February 17, 2023

IBM Sterling B2B Integrator Standard Edition 6.1.0.0 through 6.1.1.1, and 6.1.2.0 could allow an authenticated user to perform actions they should not have access to due to improper permission controls. IBM X-Force ID: 235597.

Incorrect Default Permissions

IBM Sterling B2B Integrator 6.1.2.1 XSS in Web UI
CVE-2022-34330 6.1 - Medium - January 05, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229469.

XSS

IBM Sterling B2B Integrator 6.x Session Invalidation Flaw (CVE-2022-22371)
CVE-2022-22371 6.5 - Medium - January 05, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.

Insufficient Session Expiration

IBM Sterling B2B Integrator SE 6.0-6.1.2.1 XSS Vulnerability
CVE-2022-22352 5.4 - Medium - January 04, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 220398.

XSS

IBM Sterling B2B Intgr SE v6.0-6.1.2.1 SFTP Adapter A/C Escalation
CVE-2022-43920 8.8 - High - January 04, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could allow an authenticated user to gain privileges in a different group due to an access control vulnerability in the Sftp server adapter. IBM X-Force ID: 241362.

IBM Sterling B2B Int SE 6.x SQLi in DB Component
CVE-2022-22338 9.8 - Critical - January 04, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 219510.

SQL Injection

Sensitive info disclosure in IBM Sterling B2B Intgr Standard 6.0-6.1.2.1
CVE-2022-22337 6.5 - Medium - January 04, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could disclose sensitive information to an authenticated user. IBM X-Force ID: 219507.

IBM Sterling B2B Integrator CORS flaw (v6.0-6.1.2.1)
CVE-2021-38928 5.4 - Medium - January 04, 2023

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 210323.