CVSS: 5.4EPSS: 0%CPEs: 100EXPL: 0CVE-2018-1384
https://notcve.org/view.php?id=CVE-2018-1384
IBM Business Process Manager 8.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138135. IBM Business Process Manager 8.6 es vulnerable a Cross-Site Scripting. Esta vulnerabilidad permite que los usuarios embeban código JavaScript arbitrario en la interfaz de usuario web, lo que altera las funcionalidades previstas. • http://www.ibm.com/support/docview.wss?uid=swg22012604 http://www.securityfocus.com/bid/103681 http://www.securitytracker.com/id/1040624 https://exchange.xforce.ibmcloud.com/vulnerabilities/138135 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 31EXPL: 0CVE-2015-7454
https://notcve.org/view.php?id=CVE-2015-7454
Business Space in IBM WebSphere Process Server 6.1.2.0 through 7.0.0.5 and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0.x through 8.5.0.2, 8.5.5.x through 8.5.5.0, and 8.5.6.x through 8.5.6.2 allows remote authenticated users to bypass intended access restrictions and create an arbitrary page or space via unspecified vectors. Business Space en IBM WebSphere Process Server 6.1.2.0 hasta la versión 7.0.0.5 y Business Process Manager Advanced 7.5.x hasta la versión 7.5.1.2, 8.0.x hasta la versión 8.0.1.3, 8.5.0.x hasta la versión 8.5.0.2, 8.5.5.x hasta la versión 8.5.5.0 y 8.5.6.x hasta la versión 8.5.6.2 permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y crear una página o un espacio arbitrarios a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR54678 http://www-01.ibm.com/support/docview.wss?uid=swg21972005 http://www.securityfocus.com/bid/85089 http://www.securitytracker.com/id/1035319 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 54EXPL: 0CVE-2015-7441
https://notcve.org/view.php?id=CVE-2015-7441
Remote Artifact Loader (RAL) in IBM WebSphere Process Server 7 and Business Process Manager Advanced 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.2, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.2 does not properly use SSL for its HTTPS connection, which allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors. Remote Artifact Loader (RAL) en IBM WebSphere Process Server 7 y Business Process Manager Advanced 7.5 hasta la versión 7.5.1.2, 8.0 hasta la versión 8.0.1.3, 8.5.0 hasta la versión 8.5.0.2, 8.5.5 hasta la versión 8.5.5.0 y 8.5.6 hasta la versión 8.5.6.2 no utiliza adecuadamente el SSL para su conexión HTTPS, lo que permite a usuarios remotos autenticados obtener información sensible o modificar datos a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR54760 http://www.securitytracker.com/id/1034531 http://www.securitytracker.com/id/1034532 https://www-01.ibm.com/support/docview.wss?uid=swg21971968 • CWE-17: DEPRECATED: Code •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2014-6176
https://notcve.org/view.php?id=CVE-2014-6176
IBM WebSphere Process Server 7.0, WebSphere Enterprise Service Bus 7.0, and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 disregard the SSL setting in the SCA module HTTP import binding and unconditionally select the SSLv3 protocol, which makes it easier for remote attackers to hijack sessions or obtain sensitive information by leveraging the use of a weak cipher. IBM WebSphere Process Server 7.0, WebSphere Enterprise Service Bus 7.0, y Business Process Manager Advanced 7.5.x hasta 7.5.1.2, 8.0.x hasta 8.0.1.3, y 8.5.x hasta 8.5.5 desatienden la configuración SSL setting en el enlace de importación de HTTP del módulo SCA y seleccionan incondicionalmente el protocolo SSLv3, lo que facilita a atacantes remotos secuestrar sesiones o obtener información sensible a través del aprovechamiento del uso de un cifrado débil. • http://www-01.ibm.com/support/docview.wss?uid=swg1JR51593 http://www-01.ibm.com/support/docview.wss?uid=swg21690780 http://www.securitytracker.com/id/1031382 http://www.securitytracker.com/id/1031383 https://exchange.xforce.ibmcloud.com/vulnerabilities/98488 • CWE-310: Cryptographic Issues •