Lucene search

IBM30B8FAADB19D67F7F81FFA441F67D50E821A8B7F933DC62265D9FD331574CB61

HistorySep 14, 2022 - 3:02 p.m.

Security Bulletin: A cross-site scripting vulnerability occurs in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4410)

2022-09-1415:02:20

www.ibm.com

ibm business automation workflow

ibm business process manager

cross-site scripting

vulnerability

javascript code

credentials disclosure

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.8%

JSON

Summary

A cross-site scripting vulnerability was found in IBM Business Automation Workflow and IBM Business Process Manager.

Vulnerability Details

CVEID: CVE-2019-4410 DESCRIPTION: IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162657> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

Remediation/Fixes

Apply the JR61192 interim Fix (iFix) or the Cumulative Fix (CF) containing JR61192:

IBM Business Automation Workflow (includes the fix for IBM Business Process Manager V8.6.0.0 2018.03)
IBM Business Process Manager Advanced
IBM Business Process Manager Standard
IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1
· Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by the interim fix and then apply JR61192
--OR–
· Upgrade to Business Automation Workflow V19.0.0.2

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to at least IBM BPM 8.6.0.0 CF 2017.12 as required by the interim fix and then apply JR61192
--OR–
· Upgrade to Business Automation Workflow V19.0.0.2

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply JR61192
--OR–
· Upgrade to Business Automation Workflow V19.0.0.2

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmbusiness_automation_workflowMatch18.0.0.0

ibmbusiness_automation_workflowMatch18.0.0.1

ibmbusiness_automation_workflowMatch18.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.1

ibmbusiness_process_managerMatch8.6.0.

ibmbusiness_process_managerMatch201803

ibmbusiness_process_managerMatch8.6.0.

ibmbusiness_process_managerMatch201712

ibmbusiness_process_managerMatch8.6