Grégory Draperi

Name of the Vulnerable Software and Affected Versions: JBPM KIE Workbench versions 6.0.x Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via vectors related to task name html inputs. Recommendations: For JBPM KIE Workbench versions 6.0.x, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss BRMS versions prior to 6.0.1 Red Hat JBoss BPM Suite versions prior to 6.0.1 JBoss Drools (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary Java code. This can be achieved via either MVFLEX Expression Language (MVEL) or Drools expressions. **Recommendations** For Red Hat JBoss BRMS versions prior to 6.0.1, update to version 6.0.1 or later. For Red Hat JBoss BPM Suite versions prior to 6.0.1, update to version 6.0.1 or later. For JBoss Drools, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions 2.9.0 through 2.9.6 Apache Camel versions 2.10.0 through 2.10.6 Apache Camel versions 2.11.0 through 2.11.1 Apache Camel version 2.12.0 **Description** The issue allows remote attackers to execute arbitrary simple language expressions. This can be achieved by including `$simple{}` in a CamelFileName message header to a FILE or FTP producer. **Recommendations** For Apache Camel versions 2.9.0 through 2.9.6, update to version 2.9.7 or later. For Apache Camel versions 2.10.0 through 2.10.6, update to version 2.10.7 or later. For Apache Camel versions 2.11.0 through 2.11.1, update to version 2.11.2 or later. For Apache Camel version 2.12.0, update to a version later than 2.12.0.