CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
35.1%
A Cross-Site Scripting vulnerability has been found in Business Process Choreographer (BPC) Explorer of IBM Business Automation Workflow.
CVEID: CVE-2018-1849
DESCRIPTION: IBM Business Process Manager (BPM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the web UI, thus altering the intended functionality and potentially disclosing credentials in a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/150948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03
- IBM Business Process Manager Advanced V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
- IBM Business Process Manager Advanced V8.5.6.0 through V8.5.6.0 Cumulative Fix 2
- IBM Business Process Manager Advanced V8.5.5.0
- IBM Business Process Manager Advanced V8.5.0.0 through V8.5.0.2
- IBM Business Process Manager Advanced V8.0.0.0 through V8.0.1.3
- IBM Business Process Manager Advanced V7.5.0.0 through V7.5.1.2
- earlier unsupported version of WebSphere Process Server
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60177 as soon as practical:
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60177
Note that Business Automation Workflow 18.0.0.0 is a software bundle that includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix for IBM Business Automation Workflow 18.0.0.0, download the fix labeled “8.6.0.201803-WS-BPM-IFJR60177”.
--OR–
· Apply cumulative fix Business Automation Workflow V18.0.0.2
For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60177
Note that Business Automation Workflow 18.0.0.0 is a software bundle that includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix for IBM Business Process Manager V8.6.0.0 CF 2018.03, download the fix labeled “8.6.0.201803-WS-BPM-IFJR60177”.
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix JR60177
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2
For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
· Apply CF2 and then apply iFix JR60177
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2
For IBM BPM V8.5.5.0
· Apply iFix JR60177
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2
For IBM BPM V8.5.0.0 through V8.5.0.2
· Apply iFix JR60177
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2
For products in extended support:
· Migrate to Business Automation Workflow V18.0.0.2
--OR–
· Contact IBM support to obtain and then apply iFix JR60177
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | business_automation_workflow | 18.0.0.0 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 18.0.0.1 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:* |
ibm | business_process_manager | 8.6.0. | cpe:2.3:a:ibm:business_process_manager:8.6.0.:*:*:*:*:*:*:* |
ibm | business_process_manager | 201803 | cpe:2.3:a:ibm:business_process_manager:201803:*:*:*:*:*:*:* |
ibm | business_process_manager | 201712 | cpe:2.3:a:ibm:business_process_manager:201712:*:*:*:*:*:*:* |
ibm | business_process_manager | 8.6 | cpe:2.3:a:ibm:business_process_manager:8.6:*:*:*:*:*:*:* |
ibm | business_process_manager | 8.5.7. | cpe:2.3:a:ibm:business_process_manager:8.5.7.:*:*:*:advanced:*:*:* |
ibm | business_process_manager | 201706 | cpe:2.3:a:ibm:business_process_manager:201706:*:*:*:advanced:*:*:* |
ibm | business_process_manager | 201703 | cpe:2.3:a:ibm:business_process_manager:201703:*:*:*:advanced:*:*:* |
ibm | business_process_manager | 201612 | cpe:2.3:a:ibm:business_process_manager:201612:*:*:*:advanced:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
35.1%