IBM Business Process Manager Coach NG framework is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.
CVEID: CVE-2015-0158 **
DESCRIPTION:** IBM Business Process Manager Coaches framework is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100688> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Install the interim fix for APAR JR52355 as appropriate for your current IBM Business Process Manager.
The fix for this APAR on 8.5.0.1 has been superseded and included in cumulative fix for JR52322.
The fix for this APAR on 8.5.5.0 has been superseded and included in cumulative fix for JR52137.
As a pre-caution, advise users not to click links in email.