Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMFDF1FEFDD354EC078A8A57BC8E436AA022D0E73C22CCBD74E2517E3687889B74
HistoryDec 02, 2020 - 3:37 p.m.

Security Bulletin: Multiple security vulnerabilities with Administration Console for Content Platform Engine component in IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-4447, CVE-2020-4759

2020-12-0215:37:44
www.ibm.com
13
ibm business automation workflow
ibm business process manager
content platform engine
cross-site scripting
csv injection
ifix
upgrade
mitigation limit access

EPSS

0.001

Percentile

26.2%

JSON

Summary

The embedded Content Platform Engine Component, which includes Administration Console for Content Platform Engine (ACCE), that is shipped with IBM Business Process Manager and IBM Business Automation Workflow is vulnerable to a cross-site scripting vulnerability and a CSV Injection vulnerability.

Vulnerability Details

CVEID:CVE-2020-4759
**DESCRIPTION:**IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 188736.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188736 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-4447
**DESCRIPTION:**IBM FileNet Content Manager 5.5.3 and 5.5.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 181227.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181227 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Business Automation Workflow v19.0.0.x
IBM Business Automation Workflow v18.0.0.x
IBM Business Process Manager v8.6.0 / v18.0.0.0
IBM Business Process Manager v8.5.x

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR62536 as soon as practical:

For Business Automation Workflow v19.0.0.x
ยท Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR62536
--ORโ€“
ยท Apply cumulative fix Business Automation Workflow V20.0.0.1 or later

For Business Process Manager V8.5.5, V8.6.0, or v18.0.0.x
ยท Upgrade to Business Automation Workflow v19.0.0.2 or later, and minimal cumulative fix levels as required by iFix and then apply iFix JR62536
--ORโ€“
ยท Apply cumulative fix Business Automation Workflow V20.0.0.1 or later

Workarounds and Mitigations

The Administration Console for Content Platform Engine (ACCE) application is an admin application that is only available to admin users. The risk can be mitigated by limiting the users that have access to the ACCE application from and endpoint perspective and also from an authentication perspective.

Related

nvd 2
prion 2
ibm 2
cve 2
cvelist 2
nvd
nvd
CVE-2020-4759
2020-11-09 21:15:13
CVE-2020-4447
2020-07-23 16:15:12
prion
prion
Input validation
2020-11-09 21:15:00
Cross site scripting
2020-07-23 16:15:00
ibm
ibm
Security Bulletin: CSV Injection Security vulnerability in ACCE in FileNet Content Manager
2020-11-10 22:15:42
Security Bulletin: Cross Site Scripting security vulnerabilities in FileNet Content Manager
2020-11-10 22:42:47
cve
cve
CVE-2020-4759
2020-11-09 21:15:13
CVE-2020-4447
2020-07-23 16:15:12
cvelist
cvelist
CVE-2020-4759
2020-11-09 20:25:18
CVE-2020-4447
2020-07-23 16:05:15

EPSS

0.001

Percentile

26.2%

JSON
Related for FDF1FEFDD354EC078A8A57BC8E436AA022D0E73C22CCBD74E2517E3687889B74
nvd2prion2ibm2cve2cvelist2