IBM Support

JR63133: SECURITY APAR CVE-2020-4757, CVE-2020-4934, PSIRT-ADV0028011, 177835 - MULTIPLE VULNERABILITIES WITH EMBEDDED NAVIGATOR

Direct links to fixes

workflow.2102.delta.repository
8.6.10019003-WS-BPM-MultiOS-IFJR63133
8.6.10019003-WS-BPM-WinX3264-IFJR63133
8.6.20020001-WS-BPM-MultiOS-IFJR63133
8.6.20020001-WS-BPM-WinX3264-IFJR63133

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CVEID:   CVE-2020-4757
DESCRIPTION:   IBM FileNet Content Manager and IBM Content
Navigator is vulnerable to stored cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in
the Web UI thus altering the intended functionality potentially
leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/188600 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Third Party Entry:   177835
DESCRIPTION:   Apache Commons Codec information disclosure
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/177835 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: PSIRT-ADV0028011
Description: null
CVSS Base Score: 5.9
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/PSIRT-ADV00
28011 for more information
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVEID:   CVE-2020-4934
DESCRIPTION:   IBM Content Navigator could allow a remote
attacker to traverse directories on the system. An attacker
could send a specially-crafted URL request containing "dot dot"
sequences (/../) to view arbitrary files on the system.
CVSS Base score: 4.3
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/191752 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

PRODUCTS AFFECTED
IBM Business Automation Workflow

Local fix

  • 



Problem summary


    

  • No additional information is available.

    



Problem conclusion


    

  • A fix is available or will be available that updates the
embedded Content Navigator to address the multiple
vulnerabilities.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR63133
    • 

  • Reported component name
    BUS AUTO WORKFL
    • 

  • Reported component ID
    5737H4100
    • 

  • Reported release
    J00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-01-04
    • 

  • Closed date
    2021-04-21
    • 

  • Last modified date
    2025-07-13
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BUS AUTO WORKFL
    • 

  • Fixed component ID
    5737H4100
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"19.0.0.1","Line of Business":{"code":"LOB76","label":"Data Platform"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 July 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback