Insufficient user input validation in IBM Business Process Manager’s Process Portal can lead to a cross-site scripting exposure.
CVEID: CVE-2014-8913**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99284> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID:CVE-2014-8914
DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99285> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Install the interim fix for APAR JR51742 as appropriate for your current IBM Business Process Manager version to close CVE-2014-8913.
Install the interim fix for APAR JR51836 as appropriate for your current IBM Business Process Manager version to close CVE-2014-8914. Please note that for IBM Business Process Manager V8.5.0.1 this fix is included in JR52103.
The attack requires a user to access a malicious URL that the attacker has constructed for this purpose. Advise your users not to click links of unknown or untrusted origins.