CVE-2015-0193

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager versions 7.5.x through 7.5.1.2 IBM Business Process Manager versions 8.0.x through 8.0.1.3 IBM Business Process Manager versions 8.5.x through 8.5.5.0 WebSphere Lombardi Edition versions 7.2.x through 7.2.0.5

Description The issue exists due to insufficient protection of the web page structure, allowing a remote attacker to inject arbitrary web or HTML code using a specially crafted URL. This can be exploited by triggering an error condition, enabling the injection of malicious code.

Recommendations For IBM Business Process Manager versions 7.5.x through 7.5.1.2, update to a version outside of this range to resolve the issue. For IBM Business Process Manager versions 8.0.x through 8.0.1.3, update to a version outside of this range to resolve the issue. For IBM Business Process Manager versions 8.5.x through 8.5.5.0, update to a version outside of this range to resolve the issue. For WebSphere Lombardi Edition versions 7.2.x through 7.2.0.5, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to crafted URLs that may trigger error conditions until a patch is available.