CVE-2025-13702 is a cross-site scripting vulnerability identified in IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2. This vulnerability allows an authenticated user to inject arbitrary JavaScript code into the web user interface. The injection occurs because the application fails to properly sanitize user-supplied input before rendering it in the browser context. As a result, malicious scripts can execute within the context of a trusted session, potentially altering the intended functionality of the application. The primary risk is the disclosure of sensitive information such as user credentials or session tokens, which could be harvested by an attacker to escalate privileges or impersonate users. The CVSS v3.1 base score is 6.1, reflecting a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but user interaction is required (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. Confidentiality and integrity impacts are low, while availability is not affected. No public exploits have been reported yet, but the vulnerability could be leveraged in targeted attacks within organizations that use IBM Sterling Partner Engagement Manager for supply chain and partner collaboration workflows.

The vulnerability could lead to unauthorized disclosure of credentials and session tokens, enabling attackers to impersonate legitimate users or escalate privileges within the IBM Sterling environment. This can compromise the confidentiality and integrity of sensitive partner and supply chain data managed through the platform. Organizations relying on Sterling Partner Engagement Manager for critical business processes may face operational disruptions if attackers manipulate the application’s functionality or gain unauthorized access. Although availability is not directly impacted, the breach of trust and data exposure could lead to reputational damage, regulatory penalties, and financial losses. The requirement for authentication and user interaction limits the ease of exploitation but does not eliminate risk, especially in environments with many users or where insider threats exist. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially as threat actors develop targeted campaigns against supply chain management systems.

1. Apply vendor patches or updates as soon as they become available to address the vulnerability directly. 2. Implement strict input validation and output encoding on all user-supplied data within the Sterling Partner Engagement Manager UI to prevent script injection. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web interface. 4. Enforce multi-factor authentication (MFA) to reduce the risk of compromised credentials being used maliciously. 5. Monitor user activity and audit logs for unusual behavior indicative of XSS exploitation attempts or session hijacking. 6. Educate users about the risks of interacting with suspicious content even within authenticated sessions. 7. Consider isolating the Sterling Partner Engagement Manager environment from broader networks to limit lateral movement if compromise occurs. 8. Review and harden session management configurations to minimize the impact of stolen session tokens. 9. Conduct regular security assessments and penetration testing focusing on web application vulnerabilities including XSS.