Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMCD59F77C5F324DCB06EA1C46D66FD78C6FDFC7B742BB24C26335CD03C7022E8D
HistoryMar 10, 2022 - 9:29 p.m.

Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-38893

2022-03-1021:29:40
www.ibm.com
10

0.001 Low

EPSS

Percentile

23.7%

JSON

Summary

Process Admin Console in IBM Business Process Manager and IBM Business Automation Workflow is vulnerable to a Cross-Site Scripting attack.

Vulnerability Details

CVEID:CVE-2021-38893
**DESCRIPTION:**IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209512.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209512 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Business Automation Workflow V21.0
V20.0
V19.0
V18.0
IBM Business Process Manager V8.6
V8.5

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64102 as soon as practical:

For IBM Business Automation Workflow V18.0, V19.0, V20.0, and V21.0
ยท Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR64102
--ORโ€“
ยท Apply cumulative fix Business Automation Workflow V21.0.3 or later

For IBM Business Process Manager V8.6
ยท Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR64102
--ORโ€“
ยท Upgrade to Business Automation Workflow V21.0.3 or later

For IBM BPM V8.5
ยท Upgrade to IBM BPM V8.5.7, apply Cumulative Fix 2017.06 and then apply iFix JR64102
--ORโ€“
ยท Upgrade to Business Automation Workflow V21.0.3 or later

Workarounds and Mitigations

None

Related

cnvd 1
nvd 1
prion 1
cve 1
cvelist 1
ibm 3
cnvd
cnvd
IBM Business Automation Workflow Cross-Site Scripting Vulnerability (CNVD-2022-15537)
2021-12-21 00:00:00
nvd
nvd
CVE-2021-38893
2021-12-21 19:15:07
prion
prion
Cross site scripting
2021-12-21 19:15:00
cve
cve
CVE-2021-38893
2021-12-21 19:15:07
cvelist
cvelist
CVE-2021-38893
2021-12-20 00:00:00
ibm
ibm
Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-38893
2022-04-05 21:21:51
Security Bulletin: Cross-Site Scripting vulnerability affect IBM Cloud Pak for Automation Workflow Process Service (CVE-2021-38893 CVE-2021-38966)
2022-03-10 22:22:11
Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022
2022-03-10 21:42:40

0.001 Low

EPSS

Percentile

23.7%

JSON
Related for CD59F77C5F324DCB06EA1C46D66FD78C6FDFC7B742BB24C26335CD03C7022E8D
cnvd1nvd1prion1cve1cvelist1ibm3