CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
19.6%
A cross-site scripting vulnerability in IBM Business Automation Workflow and IBM BPM has been found.
CVEID: CVE-2019-4149 DESCRIPTION: IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158415> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03
- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
Install interim fix JR60802 as appropriate for your current IBM Business Automation Workflow or IBM BPM version.
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
ยท Upgrade to at least IBM Business Automation Workflow V18.0.0.0 as required by iFix and then apply iFix JR60802
--ORโ
ยท Apply cumulative fix IBM Business Automation Workflow V19.0.0.1
For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2018.03
ยท Upgrade to at least IBM BPM V8.6.0.0 CF 2017.12 as required by iFix and then apply iFix JR60802
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
ยท Apply Cumulative Fix 2017.06 and then apply iFix JR60802
For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
ยท Apply CF2 as required by iFix and then apply iFix JR60802
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | business_automation_workflow | 18.0.0.0 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 18.0.0.1 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 18.0.0.2 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:* |
ibm | business_process_manager | 8.6.0. | cpe:2.3:a:ibm:business_process_manager:8.6.0.:*:*:*:*:*:*:* |
ibm | business_process_manager | 201803 | cpe:2.3:a:ibm:business_process_manager:201803:*:*:*:*:*:*:* |
ibm | business_process_manager | 201712 | cpe:2.3:a:ibm:business_process_manager:201712:*:*:*:*:*:*:* |
ibm | business_process_manager | 8.6 | cpe:2.3:a:ibm:business_process_manager:8.6:*:*:*:*:*:*:* |
ibm | business_process_manager | 8.5.7. | cpe:2.3:a:ibm:business_process_manager:8.5.7.:*:*:*:advanced:*:*:* |
ibm | business_process_manager | 201706 | cpe:2.3:a:ibm:business_process_manager:201706:*:*:*:advanced:*:*:* |
ibm | business_process_manager | 201703 | cpe:2.3:a:ibm:business_process_manager:201703:*:*:*:advanced:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
19.6%