Man Shum

**Name of the Vulnerable Software and Affected Versions** IBM Business Automation Workflow versions 18.0.0 through 22.0.1 **Description** The issue allows an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts due to cross-site request forgery. **Recommendations** For versions 18.0.0 through 22.0.1, update to a version that is not affected by this issue to prevent cross-site request forgery attacks. As a temporary workaround, consider implementing additional validation for requests to prevent unauthorized actions. Restrict access to sensitive operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM Business Process Manager versions 19.0.0.1 through 19.0.0.3 IBM Business Process Manager versions 20.0.0.1 through 20.0.0.2 IBM Business Process Manager versions 21.0.1 through 21.0.3.1 **Description** This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. The vulnerability is related to cross-site scripting. **Recommendations** For IBM Business Process Manager versions 19.0.0.1 through 19.0.0.3, update to a version that is not affected by this issue. For IBM Business Process Manager versions 20.0.0.1 through 20.0.0.2, update to a version that is not affected by this issue. For IBM Business Process Manager versions 21.0.1 through 21.0.3.1, update to a version that is not affected by this issue. As a temporary workaround, consider restricting access to the Web UI to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Jenkins Blue Ocean Plugins versions 1.10.1 and earlier Description: A cross-site scripting issue exists that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. The vulnerability is found in several files, including `Export.java`, `ExportConfig.java`, `JSONDataWriter.java`, `UserStatePreloader.java`, and `header.jelly`. Recommendations: For Jenkins Blue Ocean Plugins versions 1.10.1 and earlier, consider disabling the editing of user descriptions in Jenkins until a patch is available. Restrict access to the Blue Ocean plugin to minimize the risk of exploitation. Avoid using the Blue Ocean plugin with users who have permission to edit descriptions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.