IBM BPM reflects untrusted user input without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection.
CVEID: CVE-2017-1425**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/127478> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- IBM Business Process Manager V8.0.1.1
- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
Note that release 8.0.1.2, 8.0.1.3, 8.5.5.0, and 8.5.6 (including cumulative fixes) are NOT affected.
The recommended solution is to apply the Interim Fix (iFix) or CF containing APAR JR58044 as soon as practical:
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
None