Security Bulletin: Persistent cross-site scripting vulnerability in Process Admin Console affecting IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) CVE-2015-0156

Summary

IBM Business Process Manager is vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Vulnerability Details

CVEID: CVE-2015-0156** **
DESCRIPTION: IBM Business Process Manager is vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100792&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

• • IBM Business Process Manager Standard V7.5.x, 8.0.x, 8.5.x
• IBM Business Process Manager Express V7.5.x, 8.0.x, 8.5.x
• IBM Business Process Manager Advanced V7.5.x, 8.0.x, 8.5.x
• WebSphere Lombardi Edition 7.2.x

If you are using an earlier unsupported version, IBM strongly recommends to upgrade.

Remediation/Fixes

Install the interim fix for APAR JR52420 as appropriate for your current IBM Business Process Manager or IT06812 for your current WebSphere Lombardi Edition environment.

• IBM Business Process Manager Express
• IBM Business Process Manager Standard
• IBM Business Process Manager Advanced
• WebSphere Lombardi Edition

Workarounds and Mitigations

None