IBM Support

JR51742: SECURITY APAR CVE-2014-8913 - CROSS-SITE SCRIPTING (XSS) VULNERABILITY ON IBM PROCESS PORTAL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) is vulnerable to cross-site
    scripting, which is caused by the improper validation of
    user-supplied input. A remote attacker might exploit this
    vulnerability by using a specially crafted URL to run a script
    in your web browser within the security context of the hosting
    website after the URL is clicked. An attacker might use this
    vulnerability to steal the your cookie-based authentication
    credentials.
    
    PRODUCTS AFFECTED
    IBM BPM Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

  • N/A
    

Problem summary

  • The vulnerability exists because no sanitization occurs on the
    parameters being passed.
    

Problem conclusion

  • A fix for IBM BPM V8.0.1.3,V8.5.0.0, V8.5.0.1, and V8.5.5.0 is
    available that sanitizes the parameters in the script injection
    before passing them to you.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR51742:
    
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR51742, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR51742

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-11-06

  • Closed date

    2015-01-20

  • Last modified date

    2015-01-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 October 2021