IBM Business Process Manager WebSphere Lombardi Edition Inject Arbitrary Web Script Vulnerabilities
17 Jul. 2015
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 126.96.36.199, 8.0 through 188.8.131.52, 8.5.0 through 184.108.40.206, and 8.5.5 through 220.127.116.11 and WebSphere Lombardi Edition (WLE) 7.2.x through 18.104.22.168 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
* IBM Business Process Manager (BPM) before 22.214.171.124
* WebSphere Lombardi Edition (WLE) 7.2.x through 126.96.36.199
* IBM Business Process Manager (BPM) after 188.8.131.52
* WebSphere Lombardi Edition (WLE) after 184.108.40.206
IBM Business Process Manager and WebSphere Lombardi Edition are vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user's web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user's cookie-based authentication credentials.