Direct links to fixes
APAR status
Closed as program error.
Error description
The reporting function in the IBM Process Center console is vulnerable to Cross-Site-Scripting because of insufficient URL parameter validation. PRODUCTS AFFECTED IBM Business Process Manager (BPM) Advanced IBM BPM Standard IBM BPM Express
Local fix
Problem summary
IBM BPM does not adequately validate URL parameters that are received with the previous pages. As a result, an attacker could include characters in these URL parameters that can be used to form malicious HTML or JavaScript.
Problem conclusion
A fix is available for IBM BPM that includes adequate URL parameter validation. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR51926: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR51926, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR51926
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-12-01
Closed date
2015-02-13
Last modified date
2015-02-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R751 PSY
UP
R801 PSY
UP
R850 PSY
UP
R855 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
15 October 2021