CVE-2014-3075: XSS
First published: Thu Sep 04 2014(Updated: )
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.0.x allows remote authenticated users to inject arbitrary web script or HTML via an uploaded file.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Business Process Manager | =7.5.0.0 | |
| IBM Business Process Manager | =7.5.0.1 | |
| IBM Business Process Manager | =7.5.1.0 | |
| IBM Business Process Manager | =7.5.1.1 | |
| IBM Business Process Manager | =7.5.1.2 | |
| IBM Business Process Manager | =8.0.0.0 | |
| IBM Business Process Manager | =8.0.1.0 | |
| IBM Business Process Manager | =8.0.1.1 | |
| IBM Business Process Manager | =8.0.1.2 | |
| IBM Business Process Manager | =8.5.0.0 | |
| IBM Business Process Manager | =8.5.0.1 | |
| IBM Business Process Manager | =8.5.5.0 | |
| IBM WebSphere Application Server with Web Server Plug-ins | =7.2 | |
| IBM WebSphere Application Server with Web Server Plug-ins | =7.2.0.1 | |
| IBM WebSphere Application Server with Web Server Plug-ins | =7.2.0.2 | |
| IBM WebSphere Application Server with Web Server Plug-ins | =7.2.0.3 | |
| IBM WebSphere Application Server with Web Server Plug-ins | =7.2.0.4 | |
| IBM WebSphere Application Server with Web Server Plug-ins | =7.2.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-3075?
CVE-2014-3075 is classified as a moderate severity cross-site scripting (XSS) vulnerability.
How do I fix CVE-2014-3075?
To fix CVE-2014-3075, apply the necessary security patches provided by IBM for affected versions of Business Process Manager and WebSphere Lombardi Edition.
Who is affected by CVE-2014-3075?
CVE-2014-3075 affects IBM Business Process Manager versions 7.5.x to 8.5.5 and IBM WebSphere Lombardi Edition version 7.2.0.x.
What types of attacks can exploit CVE-2014-3075?
CVE-2014-3075 can be exploited by remote authenticated users to inject and execute arbitrary web scripts or HTML.
When was CVE-2014-3075 reported?
CVE-2014-3075 was reported on June 5, 2014.
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ibm
- canonical/ibm business process manager
- version/ibm business process manager/7.5.0.0
- version/ibm business process manager/7.5.0.1
- version/ibm business process manager/7.5.1.0
- version/ibm business process manager/7.5.1.1
- version/ibm business process manager/7.5.1.2
- version/ibm business process manager/8.0.0.0
- version/ibm business process manager/8.0.1.0
- version/ibm business process manager/8.0.1.1
- version/ibm business process manager/8.0.1.2
- version/ibm business process manager/8.5.0.0
- version/ibm business process manager/8.5.0.1
- version/ibm business process manager/8.5.5.0
- canonical/ibm websphere application server with web server plug-ins
- version/ibm websphere application server with web server plug-ins/7.2
- version/ibm websphere application server with web server plug-ins/7.2.0.1
- version/ibm websphere application server with web server plug-ins/7.2.0.2
- version/ibm websphere application server with web server plug-ins/7.2.0.3
- version/ibm websphere application server with web server plug-ins/7.2.0.4
- version/ibm websphere application server with web server plug-ins/7.2.0.5