CVE-2021-41110

CVE-2021-41110 affects cwlviewer prior to version 1.3.1, where a Deserialization of Untrusted Data vulnerability exists due to SnakeYaml constructors that allow parsing of arbitrary data. A patch was committed (f6066f09edb70033a2ce80200e9fa9e70a5c29de, 2021-09-30) and is the recommended fix. Ther...

CVE-2021-29834

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2, and 21.0.2 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI...

Cross site scripting

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2, and 21.0.2 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI...

CVE-2021-29834

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2, and 21.0.2 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI...

Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM)

Summary Security vulnerabilities have been reported for IBM SDK for Node.js. IBM Business Automation Workflow and IBM BPM include a stand-alone tool for editing configuration properties files that is based on IBM SDK for Node.js. Vulnerability Details CVEID: CVE-2021-22918 DESCRIPTION: Node.js is...

Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation

Summary IBM Business Process Manager and IBM Business Automation Workflow offline documentation packages open source libraries with known vulnerabilities. Do not install offline documentation and remove existing installations with the fix provided below. Vulnerability Details CVEID: CVE-2021-2335...

IBM Business Process Manager和IBM Business Automation Workflow 跨站脚本漏洞

IBM Business Process Manager BPM and IBM Business Automation Workflow are both products of IBM Corporation, U.S.A. IBM Business Process Manager is a comprehensive business process management platform. The platform provides a series of related tools for business process modeling, assembly,...

GitHub Enterprise Server 授权问题漏洞

GitHub Enterprise Server is Github an open source application. It provides a platform for setting up your own GitHub instance as a virtual appliance, thus providing a scalable, easy-to-manage platform. GitHub Enterprise Server has a security vulnerability that stems from an improper access contro...

Ditch the Alert Cannon: Modernizing IDS is a Security Must-Do

After more than 20 years of underwhelming results, security leaders have accepted their intrusion detection system IDS programs as no more than a compliance checkoff. It’s no secret that IDS’s reliance on bi-modal signatures is brittle, easily evaded and often referred to as an “alert cannon.” Ti...

Security Bulletin: Security Vulnerabilities in IBM® Java SDK July 2021 CPU affect multiple IBM Continuous Engineering products based on IBM Jazz Technology

Summary There are multiple vulnerabilities in IBM® SDK Java Technology Edition from July 2021 CPU that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management ELM, IBM Engineering Requirements Management DOORS Next DOORS...

CVE-2021-32724

check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the check-spelling action enabled that triggers on pullrequesttarget or schedule, an attacker can send a crafted Pull Request that causes a GITHUBTOKEN to be exposed. With the...

Design/Logic Flaw

check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the check-spelling action enabled that triggers on pullrequesttarget or schedule, an attacker can send a crafted Pull Request that causes a GITHUBTOKEN to be exposed. With the...

CVE-2021-32724

CVE-2021-32724 affects the GitHub Action check-spelling (check-spelling/check-spelling). In workflows that run on pull_request_target or schedule, a crafted PR can cause exposure of the GITHUB_TOKEN, enabling the attacker to push commits with repository-level access and potentially exfiltrate sec...

Cloud Challenges in the Age of Remote Work: Rapid7’s 2021 Cloud Misconfigurations Report

A lot changed in 2020, and the way businesses use the cloud was no exception. According to one study, 90% of organizations plan to increase their use of cloud infrastructure following the COVID-19 pandemic, and 61% are planning to optimize the way they currently use the cloud. The move to the clo...

SQL Injection Vulnerability in Panmicro e-cology (CNVD-2021-73908)

Panmicro Collaborative Management Application Platform e-cology is a collaborative business platform with enterprise information portal, knowledge management, data center, workflow management, human resource management, customer and partner management, project management, financial management and...

Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow - CVE-2021-20448, CVE-2021-20549, CVE-2021-20550, CVE-2021-29714

Summary The embedded IBM Content Navigator component, that is shipped with IBM Business Automation Workflow is vulnerable to multiple vulnerabilities. Vulnerability Details CVEID: CVE-2021-20550 DESCRIPTION: IBM Content Navigator 3.0.CD is vulnerable to cross-site scripting. This vulnerability...

Nuance Winscribe Dictation SQL Injection Vulnerability

Nuance Winscribe Dictation is an automated workflow solution from Nuance. Create and share high-quality documents and simplify complex workflows in a more efficient and flexible way. Nuance Winscribe Dictation 4.1.0.99 is vulnerable to SQL injection. The vulnerability stems from the fact that the...

Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-webapp-workflow

✍️ Description Stored Cross-Site Scripting XSS is the type of XSS when a user injects a maliscous javascript code into the web applacation and it gets later rendered in victim browser. 🕵️‍♂️ Proof of Concept 1. Sign in to the application as admin 2. Go to workflows 3. Edit workflow and set the...

CVE-2021-20773

There is a vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.0, which may allow a remote authenticated attacker to delete the route information Workflow without the appropriate privilege...

CVE-2021-20773

There is a vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.0, which may allow a remote authenticated attacker to delete the route information Workflow without the appropriate privilege...