CVE-2015-1906

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager versions 7.5.x through 7.5.1.2 IBM Business Process Manager versions 8.0.x through 8.0.1.3 IBM Business Process Manager versions 8.5.0 through 8.5.0.1 IBM Business Process Manager versions 8.5.5 through 8.5.5.0 IBM Business Process Manager versions 8.5.6 through 8.5.6.0

Description The issue is related to a cross-site scripting (XSS) vulnerability in the REST API of IBM Business Process Manager. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. The exploitation of this vulnerability can enable a remote attacker to embed arbitrary web or HTML code using a specially formed URL.

Recommendations For versions 7.5.x through 7.5.1.2, update to a version outside of this range to mitigate the risk. For versions 8.0.x through 8.0.1.3, update to a version outside of this range to mitigate the risk. For versions 8.5.0 through 8.5.0.1, update to a version outside of this range to mitigate the risk. For versions 8.5.5 through 8.5.5.0, update to a version outside of this range to mitigate the risk. For versions 8.5.6 through 8.5.6.0, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the REST API until a patch is available.