漏洞类别:Local
漏洞等级: 
漏洞信息
IBM Business Process Manager is a comprehensive BPM platform that provides visibility and insight to manage business processes. IBM Business Process Manager is affected by an HTML Injection/Cross Site Scripting vulnerability.
Affected Versions:
IBM Business Process Manager 8.5.7.0 through V8.5.7.0 CF 2017.06
QID Detection Logic (Authenticated):
Operating System: Unix
The QID checks if a vulnerable version of IBM Business Process Manager is installed by running the "/opt/ibm/BPM/v8.5/bin/versionInfo.sh" command. The QID then verifies if the fix JR58043 is applied or not with the help of the command "/opt/ibm/BPM/v8.x/bin/versionInfo.sh -fixpacks -ifixes".
Operating System: Windows
The QID checks Windows registry to see if IBM BPM is installed or not. If found, it looks for 'version.txt' in the product's installed path to see if it's vulnerable.
漏洞危害
An authenticated, remote user could exploit this vulnerability to execute arbitrary Javascript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
解决方案
Please refer to the following link SWG22005112.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论