IBM Support

JR55152: SECURITY CVE-2016-0227: CROSS-SITE (XSS) VULNERABILITY IN DOCUMENT LIST COACH VIEW

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Because the user input is not escaped sufficiently, IBM Business
    Process Manager (BPM) document list control is vulnerable to
    cross-site (XSS) scripting.
    

Local fix

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix is available for the latest fix pack of all supported
    releases of IBM BPM. This fix encodes user supplied values
    before embedding them into DOM to prevent cross-site scripting.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR55152:
    
        1. Select IBM Business Process Manager with your edition
    from the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
        2. Select APAR or SPR, enter JR55152, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR55152:
    
        1. Select IBM Business Process Manager with your edition
    from the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
        2. Select APAR or SPR, enter JR55152, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR55152

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-01-22

  • Closed date

    2016-02-29

  • Last modified date

    2016-02-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP

  • R856 PSY

       UP

  • R857 PSY

       UP



Document information

More support for: IBM Business Process Manager Standard

Software version: 855

Reference #: JR55152

Modified date: 29 February 2016