A security vulnerability has been reported for a dependent Node.js module “express”. CVE-2015-1164 affects IBM Business Process Manager (BPM) because IBM BPM includes a stand-alone tool for editing configuration properties files that is based on open source Node.js technology.
CVE-ID: CVE-2015-1164
Description: serve-static module for Node.js could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. A remote attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites.
CVSS Base Score: 4.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99936> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
* * IBM Business Process Manager Express V8.5.5
* IBM Business Process Manager Standard V8.5.5
* IBM Business Process Manager Advanced V8.5.5
Install IBM Business Process Manager interim fix JR52288 as appropriate for your current IBM Business Process Manager.
IBM BPM Configuration Editor is a stand-alone tool that is shipped as a zip archive. Vulnerabilities can only be exploited after unzipping and starting the server part of the tool. As a work around, you can use any usual text editor to work with IBM BPM configuration properties files.