IBM Support

JR50241: CROSS SITE SCRIPTING VULNERABILITY IN PROCESS INSPECTOR

Direct links to fixes

8.0.1.3-WS-BPM-IFJR50241
Version 8.5 Refresh Pack 5 for the IBM Business Process Manager products
Version 8.5 Refresh Pack 6 for the IBM Business Process Manager products
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A cross-site scripting exposure occurs in Process Inspector
where scripting text can be injected to cause manipulated
responses or obtain sensitive information.

On 8501 this can be regressed by JR51636 and fixed by JR49363.
Please download JR49363 to obtain this fix.

Local fix

  • 



Problem summary


    

  • The system is vulnerable to persistent Cross-Site Scripting
attack. This vulnerability stems from missing validation and
encoding on input received from the system's data source while
using this input in order to generate dynamic web pages.
You can use Escalate Task function in Process Inspector to
inject scripting language into the request.


*UPDATE(May.12,2015)* This fix has been superseded by JR49363 on
v8.5.0.1. Please download JR49363 to obtain this fix.

    



Problem conclusion


    

  • A fix is available for IBM BPM V8.5.0.1. The request input is
now validated with a proper error message returned with the
input string escaped correctly.

*UPDATE(May.12,2015)* This fix has been superseded by JR49363 on
v8.5.0.1. Please download JR49363 to obtain this fix.

On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR49363:

1.Select IBM Business Process Manager with your edition from the
product selector, the installed version to the fix pack level,
and your platform, and then click Continue.
2.Select APAR or SPR, enter JR49363, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR50241
    • 

  • Reported component name
    BPM ADVANCED
    • 

  • Reported component ID
    5725C9400
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-05-15
    • 

  • Closed date
    2014-07-28
    • 

  • Last modified date
    2015-05-12
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM ADVANCED
    • 

  • Fixed component ID
    5725C9400
    • 



Applicable component levels


    

  • R850  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback