IBM Sterling Partner Engagement Manager

IBM SPM XSS Vulnerability in 6.2.3.0-6.2.4.2 Authenticated JS Injection
CVE-2025-13702 6.1 - Medium - March 13, 2026

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

IBM Sterling PEngMgr 6.2.3.x-6.2.4.2 Cleartext Leak via Unencrypted Comm
CVE-2025-13718 3.7 - Low - March 13, 2026

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.

Cleartext Transmission of Sensitive Information

IBM Sterling Partner Eng Manager: Data Leak via Expired Token (6.2.4.2)
CVE-2025-13723 5.3 - Medium - March 13, 2026

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token

Use of a Key Past its Expiration Date

IBM Sterling Partner Engagement Mgmt 6.2.3.0-6.2.4.2 RCE via Error Disclosure
CVE-2025-13726 5.3 - Medium - March 13, 2026

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.

Generation of Error Message Containing Sensitive Information

IBM Sterling PME 6.2.3/6.2.4 Sensitive Data Leakage via HTTP GET Query
CVE-2025-14811 3.1 - Low - March 13, 2026

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.

Use of GET Request Method With Sensitive Query Strings

IBM Sterling Partner Engagement Manager 6.x JWT Secret Public Helm Charts
CVE-2025-33093 7.5 - High - May 07, 2025

IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret.

Password in Configuration File

IBM SP Manager 6.2.2 Local Info Disclosure via Error Message
CVE-2022-35640 5.5 - Medium - July 16, 2024

IBM Sterling Partner Engagement Manager 6.2.2 could allow a local attacker to obtain sensitive information when a detailed technical error message is returned. IBM X-Force ID: 230933.

Generation of Error Message Containing Sensitive Information

IBM Sterling PEngagement Mgr 6.1.2-6.2.2 XSS in Web UI
CVE-2023-28517 5.4 - Medium - March 13, 2024

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 250421.

XSS

IBM Sterling PartnerEngagement 6.2.2 Improper Auth Remote Abuse
CVE-2023-43045 7.5 - High - October 23, 2023

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could allow a remote user to perform unauthorized actions due to improper authentication. IBM X-Force ID: 266896.

Missing Authentication for Critical Function

IBM Sterling PEM 6.1.2-6.2.2 XSS Allowing JS Injection in Web UI
CVE-2023-38722 5.4 - Medium - October 23, 2023

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 262174.

XSS

Cross-Site Scripting in IBM Sterling Eng. Manager 6.1-6.2.1 (CVE-2023-23480)
CVE-2023-23480 5.4 - Medium - June 08, 2023

IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 245885.

XSS

IBM Sterling PSM Web UI Stored XSS in v6.1-6.2.1
CVE-2023-23481 5.4 - Medium - June 08, 2023

IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 245889.

XSS

IBM Sterling Partner Eng. Manager 6.x Click Hijack Remote Vect.
CVE-2023-23482 9.6 - Critical - June 08, 2023

IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 245891.

IBM Sterling Partner Eng. Mgmt 6.1.2/6.2.0/6.2.1 Authenticated DoS via Resource Exhaustion
CVE-2022-34335 6.5 - Medium - January 11, 2023

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.1 could allow an authenticated user to exhaust server resources which could lead to a denial of service. IBM X-Force ID: 229705.

Resource Exhaustion

SQLi in IBM Sterling Partner Engagement Manager 6.1-6.2.1 (before 6.2.2)
CVE-2022-40615 9.8 - Critical - January 11, 2023

IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 236208.

SQL Injection

IBM Sterling Partner Engagement Manager 2.0 Local User Can Read Client Data
CVE-2022-34354 3.3 - Low - November 16, 2022

IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage of client data to be stored locally which can be read by another user on the system. IBM X-Force ID: 230424.

Insecure Storage of Sensitive Information

IBM SME Manager 2.0 Session Logout Does Not Invalidate Session (CVE-2022-34334)
CVE-2022-34334 6.5 - Medium - October 10, 2022

IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704.

Session Fixation

XXE in IBM Sterling Partner Engagement Manager 6.1 XML Processor
CVE-2022-34348 7.1 - High - September 23, 2022

IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 230017.

XXE

IBM Sterling PEM 6.1-6.2/Cloud22.2 DoS via Unbounded Connection Length
CVE-2022-35639 7.5 - High - July 26, 2022

IBM Sterling Partner Engagement Manager 6.1, 6.2, and Cloud 22.2 do not limit the length of a connection which could cause the server to become unresponsive. IBM X-Force ID: 230932.