JR50457: SECURITY APAR CVE-2015-0103 - PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY IN IBM PROCESS PORTAL
Direct links to fixes
Closed as program error.
IBM Business Process Manager (BPM) is vulnerable to persistent cross-site scripting because user input retrieved from the database is insufficient validated. An authenticated user can inject a malicious script into the data fields. Other users might inadvertently run this script when displaying this data. PRODUCTS AFFECTED: IBM BPM Advanced IBM BPM Standard IBM BPM Express
No additional information is available.
A fix will be available for the latest fix pack of all supported and affected releases that removes the injected script from user inputs in IBM Business Process Manager (BPM). To see if a fix is available for your release, go to Fix Central (http://www.ibm.com/support/fixcentral) and search for JR50457 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR50457 and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix. ADDITIONAL DIRECT LINKS TO FIXES: 18.104.22.168-WS-BPM-IFJR50457: http://www.ibm.com/support/fixcentral/quickorder?product=i bm%2FWebSphere%2FIBM+Business+Process+Manager+Standard&fixid s=22.214.171.124-WS-BPM-IFJR50457&source=SAR
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels