Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM9E15E254CDD9E10B55E305146596D317C90329E6025B03EA45F69051F4DA0DB3
HistoryJun 15, 2018 - 7:02 a.m.

Security Bulletin: Cross-site scripting vulnerabilities in IBM Business Process Manager (BPM) Process Portal (CVE-2014-8913, CVE-2014-8914)

2018-06-1507:02:20
www.ibm.com
10

EPSS

0.002

Percentile

54.7%

JSON

Summary

Insufficient user input validation in IBM Business Process Manager’s Process Portal can lead to a cross-site scripting exposure.

Vulnerability Details

CVEID: CVE-2014-8913**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.

CVSS Base Score: 3.5

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99284&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID:CVE-2014-8914
DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.

CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99285&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

    • IBM Business Process Manager Standard V8.0.x 8.5.x
  • IBM Business Process Manager Express V8.0.x 8.5.x
  • IBM Business Process Manager Advanced V8.0.x 8.5.x

Remediation/Fixes

Install the interim fix for APAR JR51742 as appropriate for your current IBM Business Process Manager version to close CVE-2014-8913.

Install the interim fix for APAR JR51836 as appropriate for your current IBM Business Process Manager version to close CVE-2014-8914. Please note that for IBM Business Process Manager V8.5.0.1 this fix is included in JR52103.

Workarounds and Mitigations

The attack requires a user to access a malicious URL that the attacker has constructed for this purpose. Advise your users not to click links of unknown or untrusted origins.

Related

prion 2
cvelist 2
cve 2
nvd 2
prion
prion
Cross site scripting
2015-01-21 15:17:00
Cross site scripting
2015-01-21 15:17:00
cvelist
cvelist
CVE-2014-8914
2015-01-21 11:00:00
CVE-2014-8913
2015-01-21 11:00:00
cve
cve
CVE-2014-8914
2015-01-21 15:17:04
CVE-2014-8913
2015-01-21 15:17:03
nvd
nvd
CVE-2014-8913
2015-01-21 15:17:03
CVE-2014-8914
2015-01-21 15:17:04

EPSS

0.002

Percentile

54.7%

JSON
Related for 9E15E254CDD9E10B55E305146596D317C90329E6025B03EA45F69051F4DA0DB3
prion2cvelist2cve2nvd2