CVE-2016-9693 — Improper Input Validation in Corporation Business Process Manager Advanced

CWE-20 — Improper Input Validation3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 60.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Corporation Business Process Manager Advanced IBM Business Process Manager IBM Websphere

Timeline

PublishedMar 7

Latest updateMay 17

Description

IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considered executable and cause damage on the victim's machine. IBM Reference #: 1998655.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LExploitability: 1.8 | Impact: 3.7

Affected Packages3 packages

▶NVDibm/business_process_manager17 versions+16

▶CVEListV5ibm_corporation/business_process_manager_advanced21 versions+20

▶NVDibm/websphere6 versions+5

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-vp3c-hw54-76fg: IBM Business Process Manager 7↗2022-05-17

▶

CVEList

CVE-2016-9693: IBM Business Process Manager 7↗2017-03-07

▶