IBM Business Process Manager WebSphere Lombardi Edition Inject Arbitrary Web Script Vulnerabilities
17 Jul. 2015
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 188.8.131.52, 8.0 through 184.108.40.206, 8.5.0 through 220.127.116.11, and 8.5.5 through 18.104.22.168 and WebSphere Lombardi Edition (WLE) 7.2.x through 22.214.171.124 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
* IBM Business Process Manager (BPM) before 126.96.36.199
* WebSphere Lombardi Edition (WLE) 7.2.x through 188.8.131.52
* IBM Business Process Manager (BPM) after 184.108.40.206
* WebSphere Lombardi Edition (WLE) after 220.127.116.11
IBM Business Process Manager and WebSphere Lombardi Edition are vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user's web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user's cookie-based authentication credentials.