IBM Support

JR58150: SECURITY APAR CVE-2013-0464 - BUSINESS SPACE HELP IS VULNERABLE TO A CROSS-SITE (XSS) SCRIPTING ATTACK

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct links to fixes

bpm.8600.delta.repository
8.5.7.201706-WS-BPM-IFJR58150
8.5.6.2-WS-BPM-IFJR58150
8.5.5.0-WS-BPM-IFJR58150
8.5.0.2-WS-BPM-IFJR58150
8.0.1.3-WS-BPM-IFJR58150
8.5.7.0-WS-WBM-IFJR58150
8.5.6.0-WS-WBM-IFJR58150
8.5.5.0-WS-WBM-IFJR58150
8.0.1.3-WS-BSPACE-IFBS58150

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2013-0464
DESCRIPTION: IBM Eclipse Help System, as used in multiple IBM
products, is vulnerable to cross-site scripting. A remote
attacker could exploit this vulnerability using a specially
crafted URL to execute script in a victim's web browser within
the security context of the hosting website when the URL is
clicked. An attacker could use this vulnerability to steal the
victim's cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score:
See http://xforce.iss.net/xforce/xfdb/81060 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

PRODUCTS AFFECTED
IBM Business Process Manager (BPM) Advanced
IBM BPM Standard
IBM BPM Express
BM Business Monitor

Local fix

  • 



Problem summary


    

  • No additional information is available.

    



Problem conclusion


    

  • A fix that includes fixes from the IEHS is available for the IBM
BPM V7.5.1.2, V8.0.1.3, V8.5.0.2, V8.5.5.0, V8.5.6.2 fix packs,
IBM BPM V8.5.7 cumulative fixes, and future IBM BPM releases as
well as IBM Business Monitor V8.0.1.3, V8.5.5.0, V8.5.6.2 and
V8.5.7.0. This fix also prevents the cross-site scripting
vulnerability.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR58150
    • 

  • Reported component name
    BPM ADVANCED
    • 

  • Reported component ID
    5725C9400
    • 

  • Reported release
    857
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-07-13
    • 

  • Closed date
    2017-09-21
    • 

  • Last modified date
    2017-09-22
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM ADVANCED
    • 

  • Fixed component ID
    5725C9400
    • 



Applicable component levels


    

  • R751  PSY
       UP
    • 

  • R801  PSY
       UP
    • 

  • R850  PSY
       UP
    • 

  • R855  PSY
       UP
    • 

  • R856  PSY
       UP
    • 

  • R857  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            22 September 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback