Business Process Manager@8.5.5.0 Security Vulnerabilities and Issues — Business Process Manager@8.5.5.0 CVE List

Lucene search

IbmBusiness Process Manager8.5.5.0

60 matches found

CVE•added 2017/05/22 8:29 p.m.•51 views

CVE-2017-1159

IBM Business Process Manager 8.0 and 8.5 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a mali...

5.4CVSS5.1AI score0.001EPSS

CVE•added 2016/03/21 2:59 p.m.•49 views

CVE-2015-7454

Business Space in IBM WebSphere Process Server 6.1.2.0 through 7.0.0.5 and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0.x through 8.5.0.2, 8.5.5.x through 8.5.5.0, and 8.5.6.x through 8.5.6.2 allows remote authenticated users to bypass intended access restri...

4.3CVSS5.5AI score0.0016EPSS

CVE•added 2017/06/08 9:29 p.m.•49 views

CVE-2017-1140

IBM Business Process Manager 8.0 and 8.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

5.4CVSS5.2AI score0.00269EPSS

CVE•added 2021/12/21 7:15 p.m.•48 views

CVE-2021-38893

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to cre...

6.4CVSS5.2AI score0.00294EPSS

CVE•added 2019/04/08 3:29 p.m.•46 views

CVE-2019-4045

IBM Business Automation Workflow and IBM Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document. IBM X-Force ID: 156241.

4.3CVSS4.4AI score0.00126EPSS

CVE•added 2021/12/17 5:15 p.m.•46 views

CVE-2021-38883

IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credential...

5.4CVSS5.2AI score0.00215EPSS

CVE•added 2015/03/24 12:59 a.m.•45 views

CVE-2015-0103

Multiple cross-site scripting (XSS) vulnerabilities in the Process Portal in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified data fields.

3.5CVSS5.3AI score0.00176EPSS

CVE•added 2015/03/24 2:1 a.m.•45 views

CVE-2015-0158

Cross-site scripting (XSS) vulnerability in the Coach NG framework in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3CVSS5.6AI score0.00358EPSS

CVE•added 2017/09/26 5:29 p.m.•45 views

CVE-2017-1539

IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to privilege escalation by not properly distinguishing internal group memberships from user registry group memberships. By manipulating LDAP group membership an attack might gain privileged access. IBM X-Force ID: 130807.

8.8CVSS8.6AI score0.00596EPSS

CVE•added 2019/08/20 8:15 p.m.•45 views

CVE-2019-4424

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, and 19.0.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ...

8.2CVSS7.9AI score0.0037EPSS

CVE•added 2017/09/15 8:29 p.m.•44 views

CVE-2015-0110

IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL.

6.5CVSS6AI score0.0009EPSS

CVE•added 2017/03/07 5:59 p.m.•44 views

CVE-2016-9693

IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considere...

6.8CVSS6.1AI score0.00178EPSS

CVE•added 2015/03/24 12:59 a.m.•43 views

CVE-2015-0106

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote attackers to inject arbitrary web script or HTML via a...

4.3CVSS5.6AI score0.00271EPSS

CVE•added 2017/09/26 5:29 p.m.•43 views

CVE-2017-1527

IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 130156.

8.1CVSS7.8AI score0.00542EPSS

CVE•added 2017/09/26 5:29 p.m.•43 views

CVE-2017-1531

IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130...

5.4CVSS5.2AI score0.00269EPSS

CVE•added 2019/04/08 3:29 p.m.•43 views

CVE-2018-1997

IBM Business Automation Workflow and Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 are vulnerable to a denial of service attack. An authenticated attacker might send a specially crafted request that exhausts server-side memory. IBM X-Force ID: 154774.

6.5CVSS6.2AI score0.00188EPSS

CVE•added 2014/12/17 12:59 a.m.•42 views

CVE-2014-4844

The import/export functionality in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 allows remote authenticated users to bypass intended access restrictions via a project action for a (1) process application or (2) toolkit.

6.5CVSS6.2AI score0.00216EPSS

CVE•added 2014/10/31 10:55 a.m.•42 views

CVE-2014-6101

Cross-site scripting (XSS) vulnerability in the redirect-login feature in IBM Business Process Manager (BPM) Advanced 7.5 through 8.5.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3CVSS5.7AI score0.00321EPSS

CVE•added 2015/10/03 10:59 p.m.•42 views

CVE-2015-4955

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 before 8.5.6.0 CF1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5CVSS6.8AI score0.00231EPSS

CVE•added 2017/12/20 6:29 p.m.•42 views

CVE-2017-1494

IBM Business Process Manager 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128692.

5.4CVSS5.2AI score0.00286EPSS

CVE•added 2018/03/30 4:29 p.m.•42 views

CVE-2017-1756

IBM Business Process Manager 8.6 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 135856.

4CVSS3.4AI score0.00111EPSS

CVE•added 2019/04/08 3:29 p.m.•42 views

CVE-2018-1999

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 could reveal sensitive version information about the server from error pages that could aid an attacker in further attacks against the system. IBM X-Force ID: 154889.

4.3CVSS4.2AI score0.00119EPSS

CVE•added 2014/08/17 11:55 p.m.•41 views

CVE-2014-3087

callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE)...

4CVSS6.4AI score0.00291EPSS

CVE•added 2014/12/19 2:59 a.m.•41 views

CVE-2014-6173

Cross-site scripting (XSS) vulnerability in the Process Inspector in IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3 and 8.5.x through 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5CVSS5.2AI score0.00227EPSS

CVE•added 2014/12/17 12:59 a.m.•41 views

CVE-2014-6182

Directory traversal vulnerability in an export function in the Process Center in IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3 and 8.5.x through 8.5.5 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a URL.

4CVSS6.2AI score0.00389EPSS

CVE•added 2016/02/29 11:59 a.m.•41 views

CVE-2015-8524

Cross-site scripting (XSS) vulnerability in Process Portal in IBM Business Process Manager 8.5.0.x through 8.5.0.2, 8.5.5.x through 8.5.5.0, and 8.5.6.x through 8.5.6.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

6.1CVSS5.9AI score0.00266EPSS

CVE•added 2016/10/14 2:59 a.m.•41 views

CVE-2016-3056

Cross-site scripting (XSS) vulnerability in Business Space in IBM Business Process Manager 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, and 8.5 before 8.5.7.0 CF2016.09 allows remote authenticated users to inject arbitrary web script or HTML via crafted content.

5.4CVSS5.2AI score0.00241EPSS

CVE•added 2018/03/30 4:29 p.m.•41 views

CVE-2017-1767

IBM Business Process Manager 8.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 136152.

5.4CVSS5.2AI score0.0039EPSS

CVE•added 2019/04/08 3:29 p.m.•41 views

CVE-2018-1885

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 could allow an unauthenticated attacker to obtain sensitve information using a specially cracted HTTP request. IBM X-Force ID: 152020.

5.3CVSS5AI score0.00202EPSS

CVE•added 2014/09/04 10:55 a.m.•40 views

CVE-2014-4758

IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.x allow remote authenticated users to bypass intended access restrictions and send requests to internal services via a callService URL.

4CVSS6.2AI score0.00202EPSS

CVE•added 2014/12/16 11:59 p.m.•39 views

CVE-2014-6176

IBM WebSphere Process Server 7.0, WebSphere Enterprise Service Bus 7.0, and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 disregard the SSL setting in the SCA module HTTP import binding and unconditionally select the SSLv3 protocol, which ma...

4.3CVSS6.1AI score0.0036EPSS

CVE•added 2015/01/21 3:17 p.m.•39 views

CVE-2014-8913

Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8914.

3.5CVSS5.2AI score0.00304EPSS

CVE•added 2016/01/01 12:59 a.m.•39 views

CVE-2015-7441

Remote Artifact Loader (RAL) in IBM WebSphere Process Server 7 and Business Process Manager Advanced 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.2, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.2 does not properly use SSL for its HTTPS connection, which allows remote authenticate...

6.8CVSS6.1AI score0.00247EPSS

CVE•added 2019/08/20 7:15 p.m.•39 views

CVE-2019-4425

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 could allow a user to obtain highly sensitive information from another user by inserting links that would be clicked on by unsuspecting users. IBM X-Force ID: 162771.

5.7CVSS5.1AI score0.00276EPSS

CVE•added 2020/09/08 3:15 p.m.•39 views

CVE-2020-4516

IBM Business Process Manager 8.5, 8.6 and IBM Business Automation Workflow 18.0, 19.0, and 20.0 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclo...

5.4CVSS5.4AI score0.0006EPSS

CVE•added 2020/12/21 6:15 p.m.•39 views

CVE-2020-4794

IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force I...

5.5CVSS5.3AI score0.00128EPSS

CVE•added 2015/05/30 7:59 p.m.•38 views

CVE-2015-0193

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted UR...

3.5CVSS6.8AI score0.00201EPSS

CVE•added 2017/09/26 5:29 p.m.•38 views

CVE-2017-1530

5.4CVSS5.2AI score0.00269EPSS

CVE•added 2018/03/30 4:29 p.m.•38 views

CVE-2017-1765

IBM Business Process Manager 8.6 could allow an authenticated user with special privileges to reveal sensitive information about the application server. IBM X-Force ID: 136150.

4.3CVSS4.2AI score0.00323EPSS

CVE•added 2014/07/18 1:0 a.m.•37 views

CVE-2014-0957

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager 7.5 through 8.5.5, and WebSphere Lombardi Edition 7.2, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that triggers a service failure.

4.3CVSS5.7AI score0.00278EPSS

CVE•added 2014/09/04 10:55 a.m.•37 views

CVE-2014-3075

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.0.x allows remote authenticated users to inject arbitrary web script or HTML via an uploaded file.

3.5CVSS5.3AI score0.00188EPSS

CVE•added 2014/08/11 10:55 p.m.•37 views

CVE-2014-3076

IBM Business Process Manager (BPM) 8.5 through 8.5.5 allows remote attackers to obtain potentially sensitive information by visiting an unspecified JSP diagnostic page.

5CVSS6.2AI score0.00451EPSS

CVE•added 2014/10/07 10:55 a.m.•37 views

CVE-2014-4802

The Saved Search Admin component in the Process Admin Console in IBM Business Process Manager (BPM) 8.0 through 8.5.5 does not properly restrict task and instance listings in result sets, which allows remote authenticated users to bypass authorization checks and obtain sensitive information by exec...

4CVSS5.8AI score0.00159EPSS

CVE•added 2015/01/21 3:17 p.m.•37 views

CVE-2014-8914

3.5CVSS5.2AI score0.00304EPSS

CVE•added 2015/03/24 12:59 a.m.•37 views

CVE-2015-0105

Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3CVSS5.6AI score0.00352EPSS

CVE•added 2015/05/25 2:59 p.m.•37 views

CVE-2015-0156

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.6.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted UR...

3.5CVSS5.2AI score0.00227EPSS

CVE•added 2018/03/30 4:29 p.m.•37 views

CVE-2017-1766

Due to incorrect authorization in IBM Business Process Manager 8.6 an attacker can claim and work on ad hoc tasks he is not assigned to. IBM X-Force ID: 136151.

4.3CVSS4.4AI score0.00156EPSS

CVE•added 2020/09/08 3:15 p.m.•37 views

CVE-2020-4698

IBM Business Process Manager 8.5, 8.6 and IBM Business Automation Workflow 18.0, 19.0, and 20.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials...

6.4CVSS5.3AI score0.00223EPSS

CVE•added 2014/09/04 10:55 a.m.•36 views

CVE-2014-4759

An unspecified Ajax service in the Content Management toolkit in IBM Business Process Manager (BPM) 8.5.x through 8.5.5 allows remote authenticated users to obtain sensitive information by performing a document-attachment search and then reading document properties in the search results.

4CVSS5.8AI score0.00179EPSS

CVE•added 2015/02/13 2:59 a.m.•36 views

CVE-2014-6139

The Search REST API in IBM Business Process Manager 8.0.1.3, 8.5.0.1, and 8.5.5.0 allows remote authenticated users to bypass intended access restrictions and perform task-instance and process-instance searches by specifying a false value for the filterByCurrentUser parameter.

4CVSS6.2AI score0.0014EPSS

Total number of security vulnerabilities60