Due to insufficient validation of input parameters and the failure to honor a configuration setting, authenticated users can send JavaScript for execution on the server side.
CVEID: CVE-2015-1961**
DESCRIPTION:** IBM Business Process Manager could allow a remote authenticated attacker to execute code due to insufficient input validation of one variant of a BPM REST API, it is possible to remotely invoke server side JavaScript which is not intended to be exposed for remote access and may by-pass authorization checks.
CVSS Base Score: 9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103547> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
For_ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._
Install the interim fix for APAR JR53356 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version.
None