CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 0CVE-2017-1140
https://notcve.org/view.php?id=CVE-2017-1140
IBM Business Process Manager 8.0 and 8.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. Business Process Manager versiones 8.0 y 8.5 de IBM, son vulnerables a un problema de tipo cross-site-scripting. Esta vulnerabilidad permite a los usuarios insertar código JavaScript arbitrario en la interfaz de usuario web, lo que altera la funcionalidad prevista conllevando potencialmente a la divulgación de credenciales dentro de una sesión de confianza. • http://www.ibm.com/support/docview.wss?uid=swg21999133 http://www.securityfocus.com/bid/97322 https://exchange.xforce.ibmcloud.com/vulnerabilities/121905 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 19EXPL: 0CVE-2017-1159
https://notcve.org/view.php?id=CVE-2017-1159
IBM Business Process Manager 8.0 and 8.5 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 122891. Business Process Manager versiones 8.0 y 8.5 de IBM, podría permitir que un atacante remoto condujera ataques de phishing, utilizando un ataque de redireccionamiento abierto. • http://www.ibm.com/support/docview.wss?uid=swg22000253 http://www.securityfocus.com/bid/98561 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.8EPSS: 0%CPEs: 74EXPL: 0CVE-2016-9693
https://notcve.org/view.php?id=CVE-2016-9693
IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considered executable and cause damage on the victim's machine. IBM Reference #: 1998655. IBM Business Process Manager 7.5, 8.0 y 8.5 tiene una capacidad de descarga de archivos vulnerable a un conjunto de ataques. • http://www.securityfocus.com/bid/98074 https://www.ibm.com/support/docview.wss?uid=swg21998655 • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9731
https://notcve.org/view.php?id=CVE-2016-9731
IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Business Process Manager es vulnerable a las secuencias de comandos de sitios cruzados. Esta vulnerabilidad permite a los usuarios integrar código JavaScript arbitrario en la interfaz de usuario Web, alterando así la funcionalidad prevista que potencialmente conduce a la divulgación de credenciales dentro de una sesión de confianza. • http://www.ibm.com/support/docview.wss?uid=swg21996158 http://www.securityfocus.com/bid/95105 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 68EXPL: 0CVE-2016-3056
https://notcve.org/view.php?id=CVE-2016-3056
Cross-site scripting (XSS) vulnerability in Business Space in IBM Business Process Manager 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, and 8.5 before 8.5.7.0 CF2016.09 allows remote authenticated users to inject arbitrary web script or HTML via crafted content. Vulnerabilidad de XSS en Business Space en IBM Business Process Manager 7.5 hasta la versión 7.5.1.2, 8.0 hasta la versión 8.0.1.3 y 8.5 en versiones anteriores a 8.5.7.0 CF2016.09 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de contenido manipulado. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR56300 http://www-01.ibm.com/support/docview.wss?uid=swg21990850 http://www.securityfocus.com/bid/93405 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •