Direct links to fixes
8.5.5.0-WS-BPM-IFJR52626
8.5.0.1-WS-BPM-IFJR52626
8.0.1.3-WS-BPM-IFJR52626
WLE-7.2.0.5-HotFix-JR52626
7.5.1.2-WS-BPM-IFJR52626
7.5.1.0-WS-BPM-IFJR52626
Version 8.5 Refresh Pack 6 for the IBM Business Process Manager products
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products
APAR status
Closed as program error.
Error description
IBM Business Process Manager (BPM) is vulnerable to cross-site scripting (XSS) because user-supplied input is improperly neutralized in some error situations. A remote attacker could exploit this vulnerability by using a specially crafted URL to run a script in your web browser within the security context of the hosting web site when the URL is clicked. An attacker could use this vulnerability to steal your cookie-based authentication credentials. PRODUCTS AFFECTED IBM BPM Advanced IBM BPM Standard IBM BPM Express
Local fix
Problem summary
IBM Process Portal might return unvalidated user input in some error situations, which results in a cross-site scripting (XSS) vulnerability if the user-supplied input contains an executable script.
Problem conclusion
A fix will be available for the latest fix pack of all supported and affected releases that replace the stack traces with generic messages. To see if a fix is available for your release, go to Fix Central (http://www.ibm.com/support/fixcentral) and search for JR52626: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR52626, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Not applicable
Comments
APAR Information
APAR number
JR52626
Reported component name
BPM ADVANCED
Reported component ID
5725C9400
Reported release
751
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-02-19
Closed date
2015-05-27
Last modified date
2015-05-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM ADVANCED
Fixed component ID
5725C9400
Applicable component levels
R751 PSY
UP
R801 PSY
UP
R850 PSY
UP
R855 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
14 October 2021