First published: Tue Dec 21 2021(Updated: )
IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209512.
Credit: psirt@us.ibm.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Business Automation Workflow | =18.0.0.0 | |
IBM Business Automation Workflow | =19.0.0.0 | |
IBM Business Automation Workflow | =20.0.0.0 | |
IBM Business Automation Workflow | =21.0.0.0 | |
IBM Business Process Manager | =8.5.0.0 | |
IBM Business Process Manager | =8.5.5.0 | |
IBM Business Process Manager | =8.5.7.0-cf201612 | |
IBM Business Process Manager | =8.5.7.0-cf201703 | |
IBM Business Process Manager | =8.5.7.0-cf201706 | |
IBM Business Process Manager | =8.6.0.0 | |
Ibm Workflow Process Service | =21.0.2 | |
IBM Business Automation Workflow | <=V21.0V20.0V19.0V18.0 | |
IBM Business Process Manager | <=V8.6V8.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-38893.
IBM Business Process Manager 8.5, 8.6, and IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 are affected.
The severity level of CVE-2021-38893 is medium.
This vulnerability allows users to embed arbitrary JavaScript code in the Web UI, potentially leading to credential theft or unauthorized actions.
Update to a version that is not affected by this vulnerability when available, or apply any patches or mitigations provided by IBM.