JR49990: SECURITY APAR CVE-2014-0957 - SCRIPT INJECTION ON CALLSERVICE.DO AND STACK TRACE UNNECESSARILY SHOWN TO END USER
Fixes are available
Closed as program error.
When you invoke a service by using a URL, user input or sensitive data might be returned in unhandled service failure situations, causing cross-site scripting or disclosing sensitive information. PRODUCTS AFFECTED: IBM Business Process Manager (BPM) Advanced IBM BPM Standard IBM BPM Express
A fix for IBM BPM is available that fixes the script injection and information disclosure vulnerabilities by preventing detailed error information from being returned to an end user's browser. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR49990: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR49990, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels