IBMF48BF1F8EA9727ADB48030993F905DED510E7F0D968FA1B292B4ADB727BA0C17Security Bulletin: Cross Site Scripting vulnerability affects IBM Business Automation Workflow - CVE-2022-41735
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
27.1%
Summary
IBM Business Automation Workflow is vulnerable to a Cross Site Scripting attack.
Vulnerability Details
CVEID:CVE-2022-41735
**DESCRIPTION:**IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237809 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 - V22.0.1-IF004 | |
| V21.0.3 - V21.0.3-IF014 | ||
| V21.0.2 all fixes | ||
| V20.0.0.2 all fixes | ||
| V20.0.0.1 all fixes | affected | |
| IBM Business Automation Workflow traditional | V22.0.1 | |
| V21.0.1 - V21.0.3.1 | ||
| V20.0.0.1 - V20.0.0.2 | ||
| V19.0.0.1 - V19.0.0.3 | affected |
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT160626 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 | Apply 22.0.1-IF005 or later |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF015 or later |
| or upgrade to 22.0.1-IF005 or later | ||
| IBM Business Automation Workflow containers | V21.0.2 | |
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF015 or later | |
| or upgrade to 22.0.1-IF005 or later | ||
| IBM Business Automation Workflow traditional | V22.0.1 | Apply DT160626 |
| IBM Business Automation Workflow traditional | V21.0.3 | Apply DT160626 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160626 | ||
| IBM Business Automation Workflow traditional | V21.0.2 | Upgrade to IBM Business Automation Workflow 21.0.3 and apply DT160626 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160626 | ||
| IBM Business Automation Workflow traditional | V20.0.0.2 | Apply DT160626 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160626 | ||
| IBM Business Automation Workflow traditional | V20.0.0.1 | Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply DT160626 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160626 | ||
| IBM Business Automation Workflow traditional | V19.0.0.3 | Apply DT160626 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160626 | ||
| IBM Business Automation Workflow traditional | V19.0.0.1 - V19.0.0.2 | Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply DT160626 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160626 |
Workarounds and Mitigations
None
Affected configurations
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
27.1%