IBM48553279AD4191D3FE6BD8352C174BE1FB22F74837A32B2FD744E30D4FABF13DSecurity Bulletin: JavaScript evaluation vulnerability in IBM Business Process Manager (CVE-2015-1961)
EPSS
Percentile
70.0%
Summary
Due to insufficient validation of input parameters and the failure to honor a configuration setting, authenticated users can send JavaScript for execution on the server side.
Vulnerability Details
CVEID: CVE-2015-1961**
DESCRIPTION:** IBM Business Process Manager could allow a remote authenticated attacker to execute code due to insufficient input validation of one variant of a BPM REST API, it is possible to remotely invoke server side JavaScript which is not intended to be exposed for remote access and may by-pass authorization checks.
CVSS Base Score: 9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103547> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Affected Products and Versions
-
- IBM Business Process Manager V7.5.1 through V8.5.6.0
For_ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._
Remediation/Fixes
Install the interim fix for APAR JR53356 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version.
- IBM Business Process Manager Express
- IBM Business Process Manager Standard
- IBM Business Process Manager Advanced
Workarounds and Mitigations
None
Related
EPSS
Percentile
70.0%