IBM Support

JR51742: SECURITY APAR CVE-2014-8913 - CROSS-SITE SCRIPTING (XSS) VULNERABILITY ON IBM PROCESS PORTAL

Direct links to fixes

8.5.5.0-WS-BPM-IFJR51742
8.0.1.3-WS-BPM-IFJR51742
8.5.0.0-WS-BPM-IFJR51742
8.5.0.1-WS-BPM-IFJR51742
Version 8.5 Refresh Pack 6 for the IBM Business Process Manager products
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) is vulnerable to cross-site
scripting, which is caused by the improper validation of
user-supplied input. A remote attacker might exploit this
vulnerability by using a specially crafted URL to run a script
in your web browser within the security context of the hosting
website after the URL is clicked. An attacker might use this
vulnerability to steal the your cookie-based authentication
credentials.

PRODUCTS AFFECTED
IBM BPM Advanced
IBM BPM Standard
IBM BPM Express

Local fix

  • N/A

Problem summary

  • The vulnerability exists because no sanitization occurs on the
parameters being passed.

Problem conclusion

  • A fix for IBM BPM V8.0.1.3,V8.5.0.0, V8.5.0.1, and V8.5.5.0 is
available that sanitizes the parameters in the script injection
before passing them to you.

On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR51742:

1. Select IBM Business Process Manager with your edition from
the product selector, the installed version to the fix pack
level, and your platform, and then click Continue.
2. Select APAR or SPR, enter JR51742, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR51742
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-11-06
    • 

  • Closed date
    2015-01-20
    • 

  • Last modified date
    2015-01-20
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    

  • R801  PSY
       UP
    • 

  • R850  PSY
       UP
    • 

  • R855  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            16 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback