IBM Support

JR55152: SECURITY CVE-2016-0227: CROSS-SITE (XSS) VULNERABILITY IN DOCUMENT LIST COACH VIEW

Direct links to fixes

8.0.1.3-WS-BPM-IFJR56936
8.5.0.2-WS-BPM-IFJR55152
8.5.6.2-WS-BPM-IFJR55152
8.0.1.3-WS-BPM-IFJR55152
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Because the user input is not escaped sufficiently, IBM Business
Process Manager (BPM) document list control is vulnerable to
cross-site (XSS) scripting.

Local fix

  • 



Problem summary


    

  • No additional information is available.

    



Problem conclusion


    

  • A fix is available for the latest fix pack of all supported
releases of IBM BPM. This fix encodes user supplied values
before embedding them into DOM to prevent cross-site scripting.

On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR55152:

    1. Select IBM Business Process Manager with your edition
from the product selector, the installed version to the fix pack
level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR55152, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR55152:

    1. Select IBM Business Process Manager with your edition
from the product selector, the installed version to the fix pack
level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR55152, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR55152
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    855
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-01-22
    • 

  • Closed date
    2016-02-29
    • 

  • Last modified date
    2016-02-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    

  • R801  PSY
       UP
    • 

  • R850  PSY
       UP
    • 

  • R855  PSY
       UP
    • 

  • R856  PSY
       UP
    • 

  • R857  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            16 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback