IBM Support

JR50457: SECURITY APAR CVE-2015-0103 - PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY IN IBM PROCESS PORTAL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) is vulnerable to persistent
    cross-site scripting because user input retrieved from the
    database is insufficient validated. An authenticated user can
    inject a malicious script into the data fields. Other users
    might inadvertently run this script when displaying this data.
    
    PRODUCTS AFFECTED:
    IBM BPM Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix will be available for the latest fix pack of all supported
    and affected releases that removes the injected script from
    user inputs in IBM Business Process Manager (BPM).
    
    To see if a fix is available for your release, go to Fix Central
    (http://www.ibm.com/support/fixcentral) and search for JR50457
    
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR50457 and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    
    ADDITIONAL DIRECT LINKS TO FIXES:
    
    8.5.5.0-WS-BPM-IFJR50457:
    http://www.ibm.com/support/fixcentral/quickorder?product=i
    bm%2FWebSphere%2FIBM+Business+Process+Manager+Standard&fixid
    s=8.5.5.0-WS-BPM-IFJR50457&source=SAR
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR50457

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-06-10

  • Closed date

    2017-06-21

  • Last modified date

    2017-07-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP

  • R856 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
14 October 2021