Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager web Process Designer (CVE-2017-1494)

Summary

IBM Business Process Manager web Process Designer is vulnerable to Cross-Site Scripting.

Vulnerability Details

CVEID: CVE-2017-1494**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128692&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or CF containing APAR JR58429 as soon as practical:

• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

For IBM BPM V8.5.5.0

• Apply iFixes JR58429

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2

• Install CF2 as required by iFix and then apply iFix JR58429

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06

• Install CF 2017.06 as required by iFix and then apply iFix JR58429

Workarounds and Mitigations

None