Akenofu

**Name of the Vulnerable Software and Affected Versions** IBM Business Process Manager versions 8.5 through 8.6 IBM Business Automation Workflow versions 18.0 through 21.0 **Description** This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. The vulnerability enables users to store malicious scripts that can be executed by other users, thus compromising the security of the system. **Recommendations** For IBM Business Process Manager versions 8.5 through 8.6, update to a version that includes the fix for this issue. For IBM Business Automation Workflow versions 18.0 through 21.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Web UI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM Business Process Manager versions 8.5 through 8.6 IBM Business Automation Workflow versions 18.0 through 21.0 **Description** The issue allows a privileged user to obtain highly sensitive information due to improper access controls. **Recommendations** For IBM Business Process Manager versions 8.5 through 8.6, update to a version that includes proper access controls to prevent sensitive information disclosure. For IBM Business Automation Workflow versions 18.0 through 21.0, apply configuration changes to restrict access and minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.