Business Process Manager Security Vulnerabilities and Issues — Business Process Manager CVE List

Lucene search

IbmBusiness Process Manager

23 matches found

CVE•added 2022/03/18 4:15 p.m.•76 views

CVE-2021-39046

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346.

4.9CVSS5AI score0.00145EPSS

CVE•added 2016/03/21 2:59 p.m.•49 views

CVE-2015-7454

Business Space in IBM WebSphere Process Server 6.1.2.0 through 7.0.0.5 and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0.x through 8.5.0.2, 8.5.5.x through 8.5.5.0, and 8.5.6.x through 8.5.6.2 allows remote authenticated users to bypass intended access restri...

4.3CVSS5.5AI score0.0016EPSS

CVE•added 2019/04/08 3:29 p.m.•46 views

CVE-2019-4045

IBM Business Automation Workflow and IBM Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document. IBM X-Force ID: 156241.

4.3CVSS4.4AI score0.00126EPSS

CVE•added 2015/03/24 2:1 a.m.•45 views

CVE-2015-0158

Cross-site scripting (XSS) vulnerability in the Coach NG framework in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3CVSS5.6AI score0.00358EPSS

CVE•added 2015/03/24 12:59 a.m.•43 views

CVE-2015-0106

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote attackers to inject arbitrary web script or HTML via a...

4.3CVSS5.6AI score0.00271EPSS

CVE•added 2014/10/31 10:55 a.m.•42 views

CVE-2014-6101

Cross-site scripting (XSS) vulnerability in the redirect-login feature in IBM Business Process Manager (BPM) Advanced 7.5 through 8.5.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3CVSS5.7AI score0.00321EPSS

CVE•added 2018/03/30 4:29 p.m.•42 views

CVE-2017-1756

IBM Business Process Manager 8.6 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 135856.

4CVSS3.4AI score0.00111EPSS

CVE•added 2019/04/08 3:29 p.m.•42 views

CVE-2018-1999

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 could reveal sensitive version information about the server from error pages that could aid an attacker in further attacks against the system. IBM X-Force ID: 154889.

4.3CVSS4.2AI score0.00119EPSS

CVE•added 2014/08/17 11:55 p.m.•41 views

CVE-2014-3087

callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE)...

4CVSS6.4AI score0.00291EPSS

CVE•added 2014/12/17 12:59 a.m.•41 views

CVE-2014-6182

Directory traversal vulnerability in an export function in the Process Center in IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3 and 8.5.x through 8.5.5 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a URL.

4CVSS6.2AI score0.00389EPSS

CVE•added 2014/09/04 10:55 a.m.•40 views

CVE-2014-4758

IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.x allow remote authenticated users to bypass intended access restrictions and send requests to internal services via a callService URL.

4CVSS6.2AI score0.00202EPSS

CVE•added 2014/12/16 11:59 p.m.•39 views

CVE-2014-6176

IBM WebSphere Process Server 7.0, WebSphere Enterprise Service Bus 7.0, and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 disregard the SSL setting in the SCA module HTTP import binding and unconditionally select the SSLv3 protocol, which ma...

4.3CVSS6.1AI score0.0036EPSS

CVE•added 2015/07/21 7:59 p.m.•39 views

CVE-2015-1905

The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions on task-variable value changes via unspecified vectors.

4CVSS6.1AI score0.00154EPSS

CVE•added 2018/03/30 4:29 p.m.•38 views

CVE-2017-1765

IBM Business Process Manager 8.6 could allow an authenticated user with special privileges to reveal sensitive information about the application server. IBM X-Force ID: 136150.

4.3CVSS4.2AI score0.00323EPSS

CVE•added 2014/07/18 1:0 a.m.•37 views

CVE-2014-0957

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager 7.5 through 8.5.5, and WebSphere Lombardi Edition 7.2, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that triggers a service failure.

4.3CVSS5.7AI score0.00278EPSS

CVE•added 2014/10/07 10:55 a.m.•37 views

CVE-2014-4802

The Saved Search Admin component in the Process Admin Console in IBM Business Process Manager (BPM) 8.0 through 8.5.5 does not properly restrict task and instance listings in result sets, which allows remote authenticated users to bypass authorization checks and obtain sensitive information by exec...

4CVSS5.8AI score0.00159EPSS

CVE•added 2015/03/24 12:59 a.m.•37 views

CVE-2015-0105

Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3CVSS5.6AI score0.00352EPSS

CVE•added 2018/03/30 4:29 p.m.•37 views

CVE-2017-1766

Due to incorrect authorization in IBM Business Process Manager 8.6 an attacker can claim and work on ad hoc tasks he is not assigned to. IBM X-Force ID: 136151.

4.3CVSS4.4AI score0.00156EPSS

CVE•added 2021/06/28 4:15 p.m.•37 views

CVE-2021-29751

IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.5 and 8.6 could allow an authenticated user to obtain sensitive information about another user under nondefault configurations. IBM X-Force ID: 201779.

4.3CVSS4.4AI score0.00225EPSS

CVE•added 2014/09/04 10:55 a.m.•36 views

CVE-2014-4759

An unspecified Ajax service in the Content Management toolkit in IBM Business Process Manager (BPM) 8.5.x through 8.5.5 allows remote authenticated users to obtain sensitive information by performing a document-attachment search and then reading document properties in the search results.

4CVSS5.8AI score0.00179EPSS

CVE•added 2015/02/13 2:59 a.m.•36 views

CVE-2014-6139

The Search REST API in IBM Business Process Manager 8.0.1.3, 8.5.0.1, and 8.5.5.0 allows remote authenticated users to bypass intended access restrictions and perform task-instance and process-instance searches by specifying a false value for the filterByCurrentUser parameter.

4CVSS6.2AI score0.0014EPSS

CVE•added 2020/05/06 2:15 p.m.•36 views

CVE-2020-4446

IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. IBM X-Force ID: 181126.

4.3CVSS4.5AI score0.00077EPSS

CVE•added 2015/06/28 2:59 p.m.•35 views

CVE-2015-1884

Directory traversal vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via a crafted int...

4CVSS6.2AI score0.00808EPSS