Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) - CVE-2020-4768

Summary

IBM Case Manager and IBM Business Automation Workflow may be vulnerable to a cross site scripting attack.

Vulnerability Details

CVEID:CVE-2020-4768
**DESCRIPTION:**IBM Case Manager and IBM Business Automation Workflow are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188907 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

V18.0.0.x

IBM Business Automation Workflow|

V19.0.0.x

IBM Business Automation Workflow|

V20.0.0.1

IBM Case Manager| V5.3.x
IBM Case Manager| V5.2.x

Remediation/Fixes

Upgrade to IBM Case Manager 5.3.3 and apply PJ46300 or upgrade to IBM Business Automation Workflow 20.0.0.2 or later.

Workarounds and Mitigations

• Case package is not enabled by default in case pages. Therefore, no vulnerability is exposed if the feature is not used.
• You can disable the case package feature to be used in case pages. Instead use case operations in a workflow process to create a case package.