Security Bulletin: Cross-site scripting vulnerabilities in IBM Business Process Manager (BPM) Coach NG framework (CVE-2015-0158)

2018-06-1507:02:31

www.ibm.com

EPSS

0.005

Percentile

76.5%

JSON

Summary

IBM Business Process Manager Coach NG framework is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.

Vulnerability Details

CVEID: CVE-2015-0158 **
DESCRIPTION:** IBM Business Process Manager Coaches framework is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100688> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

- IBM Business Process Manager Standard V8.0.x 8.5.x
IBM Business Process Manager Express V8.0.x 8.5.x
IBM Business Process Manager Advanced V8.0.x 8.5.x

Remediation/Fixes

Install the interim fix for APAR JR52355 as appropriate for your current IBM Business Process Manager.
The fix for this APAR on 8.5.0.1 has been superseded and included in cumulative fix for JR52322.
The fix for this APAR on 8.5.5.0 has been superseded and included in cumulative fix for JR52137.