CVE-2015-4955
Description
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 before 8.5.6.0 CF1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21966010
Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg1JR54007
Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg1JR53179
Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg1JR52696
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ibm | business_process_manager | 8.0.0.0 | |
| ibm | business_process_manager | 8.0.1.0 | |
| ibm | business_process_manager | 8.0.1.1 | |
| ibm | business_process_manager | 8.0.1.2 | |
| ibm | business_process_manager | 8.0.1.3 | |
| ibm | business_process_manager | 8.5.0.0 | |
| ibm | business_process_manager | 8.5.0.1 | |
| ibm | business_process_manager | 8.5.5.0 | |
| ibm | business_process_manager | 8.5.6.0 | |
References
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR52696
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR53179
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR54007
- http://www-01.ibm.com/support/docview.wss?uid=swg21966010
- http://www.securitytracker.com/id/1033733
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR52696
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR53179
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR54007
- http://www-01.ibm.com/support/docview.wss?uid=swg21966010
- http://www.securitytracker.com/id/1033733
CWEs
CWE-79
Verify integrity in audit chain (admin only). AS-IS.