When you invoke a service using a URL, user input can be returned in unhandled service failure situations.
CVE ID: CVE-2014-0957 **DESCRIPTION: **
IBM WebSphere Lombardi Edition and IBM Business Process Manager are vulnerable to cross-site scripting that is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the cookie-based authentication credentials of the user.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.is__s.net/xforce/xfdb/92738 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Install interim fix JR49990 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version.
If you are using earlier unsupported versions, IBM strongly recommends upgrading to a supported version.
None