Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) Process Portal (CVE-2015-0106)

Summary

IBM Business Process Manager and WebSphere Lombardi Edition are vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.

Vulnerability Details

CVEID: CVE-2015-0106** **
DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99585&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

• • IBM Business Process Manager Standard V7.5.x, 8.0.x, 8.5.x
• IBM Business Process Manager Express V7.5.x, 8.0.x, 8.5.x
• IBM Business Process Manager Advanced V7.5.x, 8.0.x, 8.5.x
• WebSphere Lombardi Edition 7.2.x

If you are using an earlier unsupported version, IBM strongly recommends to upgrade.

Remediation/Fixes

Install the interim fix for APAR JR50795 as appropriate for your current IBM Business Process Manager.

• IBM Business Process Manager Express
• IBM Business Process Manager Standard
• IBM Business Process Manager Advanced
• WebSphere Lombardi Edition

Workarounds and Mitigations

None