CVE-2019-4149

05.09.2019, 15:15

IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 and IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03, V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06, and V8.5.6.0 through V8.5.6.0 CF2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158415.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
ibm	CNA	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AC:L/UI:R/AV:N/I:L/PR:L/A:N/S:C/C:L/RL:O/E:H/RC:C
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Vendor	Product	Version
ibm	business_automation_workflow	18.0.0.0 ≤ 𝑥 ≤ 18.0.0.2
ibm	business_process_manager	8.5.6.0
ibm	business_process_manager	8.5.6.0:cf1
ibm	business_process_manager	8.5.6.0:cf2
ibm	business_process_manager	8.5.7.0
ibm	business_process_manager	8.5.7.0:cf201706
ibm	business_process_manager	8.6.0.0
ibm	business_process_manager	8.6.0.0:cf201712
ibm	business_process_manager	8.6.0.0:cf201803

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/158415

https://www.ibm.com/support/docview.wss?uid=ibm10885104

https://exchange.xforce.ibmcloud.com/vulnerabilities/158415

https://www.ibm.com/support/docview.wss?uid=ibm10885104