Stored Cross-Site Scripting in IBM Business Process Manager and Workflow
CVE-2021-38893

6.4MEDIUM

Key Information:

Vendor
IBM
Status
Cloud Pak For Automation
Business Process Manager Standard
Vendor
CVE Published:
21 December 2021

Summary

IBM Business Process Manager versions 8.5 and 8.6, along with IBM Business Automation Workflow versions 18.0 to 21.0, are susceptible to a stored cross-site scripting vulnerability. This issue permits an attacker to insert arbitrary JavaScript code within the Web UI, which can modify the application's intended behavior. The consequence of this vulnerability could lead to unauthorized disclosure of user credentials during a trusted session, thereby compromising the security of sensitive data.

Affected Version(s)

Business Process Manager Standard 8.5.5

Business Process Manager Standard 8.5.7.CF201706

Business Process Manager Standard 8.5.7.CF201703

References

https://www.ibm.com/support/pages/node/6527782
x_refsource_CONFIRM
https://www.ibm.com/support/pages/node/6526488
x_refsource_CONFIRM
https://exchange.xforce.ibmcloud.com/vulnerabilities/209512
vdb-entryx_refsource_XF

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.