Security Bulletin: HTML injection vulnerability in IBM Business Process Manager (BPM) - CVE-2017-1424

Summary

IBM BPM allows users to interact with one another without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection.

Vulnerability Details

CVEID: CVE-2017-1424**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/127477&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- IBM Business Process Manager Advanced V8.5.7.0 including cumulative fix 2017.06

Remediation/Fixes

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06

• Install CF 2017.06 as required by iFix and then apply iFix JR58043
• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

Workarounds and Mitigations

Disable all Social Features or Mentions feature within the Social Feature by setting com.ibm.bpm.portal.disableSocial=allor com.ibm.bpm.portal.disableSocial=mentions… Consult the documentation <https://www.ibm.com/support/knowledgecenter/en/SSFTN5_8.5.7/com.ibm.wbpm.admin.doc/topics/tadm_portal_customprops_mashups.html&gt; for detail.