Man Shum

**Name of the Vulnerable Software and Affected Versions** IBM Business Automation Workflow versions 18.0.0 through 22.0.1 **Description** The issue allows an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts due to cross-site request forgery. **Recommendations** For versions 18.0.0 through 22.0.1, update to a version that is not affected by this issue to prevent cross-site request forgery attacks. As a temporary workaround, consider implementing additional validation for requests to prevent unauthorized actions. Restrict access to sensitive operations to minimize the risk of exploitation.

**Nome do software vulnerável e versões afetadas** IBM Business Process Manager, versões 19.0.0.1 a 19.0.0.3 IBM Business Process Manager, versões 20.0.0.1 a 20.0.0.2 IBM Business Process Manager, versões 21.0.1 a 21.0.3.1 **Descrição** Esta vulnerabilidade permite que usuários incorporem código JavaScript arbitrário na interface de usuário da Web, alterando a funcionalidade pretendida e potencialmente levando à divulgação de credenciais dentro de uma sessão confiável. A vulnerabilidade está relacionada a cross-site scripting. **Recomendações** Para as versões 19.0.0.1 a 19.0.0.3 do IBM Business Process Manager, atualize para uma versão que não seja afetada por esta vulnerabilidade. Para as versões 20.0.0.1 a 20.0.0.2 do IBM Business Process Manager, atualize para uma versão que não seja afetada por este problema. Para as versões 21.0.1 a 21.0.3.1 do IBM Business Process Manager, atualize para uma versão que não seja afetada por este problema. Como solução alternativa temporária, considere restringir o acesso à interface de usuário da Web para minimizar o risco de exploração.

Name of the Vulnerable Software and Affected Versions: Jenkins Blue Ocean Plugins versions 1.10.1 and earlier Description: A cross-site scripting issue exists that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. The vulnerability is found in several files, including `Export.java`, `ExportConfig.java`, `JSONDataWriter.java`, `UserStatePreloader.java`, and `header.jelly`. Recommendations: For Jenkins Blue Ocean Plugins versions 1.10.1 and earlier, consider disabling the editing of user descriptions in Jenkins until a patch is available. Restrict access to the Blue Ocean plugin to minimize the risk of exploitation. Avoid using the Blue Ocean plugin with users who have permission to edit descriptions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.