CVE-2025-13723
Received
Received - Intake
Information Disclosure via Expired Token in IBM Sterling PEM
Publication date: 2026-03-13
Last updated on: 2026-03-18
Assigner: IBM Corporation
Description
Description
IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive user information using an expired access token
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | sterling_partner_engagement_manager | From 6.2.3 (inc) to 6.2.3.6 (exc) |
| ibm | sterling_partner_engagement_manager | From 6.2.4 (inc) to 6.2.4.3 (exc) |
| ibm | sterling_partner_engagement_manager | From 6.2.3 (inc) to 6.2.3.6 (exc) |
| ibm | sterling_partner_engagement_manager | From 6.2.4 (inc) to 6.2.4.3 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-324 | The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. |
