IBM15674594C44EA38816092613A7735E3F57BAA42DBA8AF0BF8D518ADCB20CFA85Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) - CVE-2017-1425
EPSS
Percentile
26.3%
Summary
IBM BPM reflects untrusted user input without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection.
Vulnerability Details
CVEID: CVE-2017-1425**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/127478> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
- IBM Business Process Manager V8.0.1.1
- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
Note that release 8.0.1.2, 8.0.1.3, 8.5.5.0, and 8.5.6 (including cumulative fixes) are NOT affected.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or CF containing APAR JR58044 as soon as practical:
- IBM Business Process Manager Advanced
- IBM Business Process Manager Standard
- IBM Business Process Manager Express
- For IBM BPM V8.0.1.1
- Install Fix Pack 3
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
- Install CF 2017.06 as required by iFix and then apply iFix JR58044
Workarounds and Mitigations
None
Related
EPSS
Percentile
26.3%