CVE-2015-0156

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager versions 7.5.x through 7.5.1.2 IBM Business Process Manager versions 8.0.x through 8.0.1.3 IBM Business Process Manager versions 8.5.x through 8.5.6.0 WebSphere Lombardi Edition versions 7.2.x through 7.2.0.5

Description The issue exists due to insufficient protection of the web page structure, allowing a remote attacker to inject arbitrary web or HTML code using a specially crafted URL. This is a cross-site scripting (XSS) issue.

Recommendations For IBM Business Process Manager versions 7.5.x through 7.5.1.2, update to a version later than 7.5.1.2 to resolve the issue. For IBM Business Process Manager versions 8.0.x through 8.0.1.3, update to a version later than 8.0.1.3 to resolve the issue. For IBM Business Process Manager versions 8.5.x through 8.5.6.0, update to a version later than 8.5.6.0 to resolve the issue. For WebSphere Lombardi Edition versions 7.2.x through 7.2.0.5, update to a version later than 7.2.0.5 to resolve the issue. As a temporary workaround, consider restricting access to crafted URLs to minimize the risk of exploitation.