Ibm Business Process Manager vulnerabilities
89 known vulnerabilities affecting ibm/business_process_manager.
Total CVEs
89
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM69LOW13
Vulnerabilities
Page 3 of 5
CVE-2017-1527HIGHCVSS 8.1v7.5.0.0v7.5.0.1+16 more2017-09-26
CVE-2017-1527 [HIGH] CWE-611 CVE-2017-1527: IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE
IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 130156.
nvd
CVE-2017-1539HIGHCVSS 8.8v7.5.0.0v7.5.0.1+16 more2017-09-26
CVE-2017-1539 [HIGH] CVE-2017-1539: IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to privilege escalation by not properly
IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to privilege escalation by not properly distinguishing internal group memberships from user registry group memberships. By manipulating LDAP group membership an attack might gain privileged access. IBM X-Force ID: 130807.
nvd
CVE-2017-1531MEDIUMCVSS 5.4v7.5.0.0v7.5.0.1+16 more2017-09-26
CVE-2017-1531 [MEDIUM] CWE-79 CVE-2017-1531: IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross-site scripting. This vulnerabi
IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130410.
nvd
CVE-2017-1530MEDIUMCVSS 5.4v7.5.0.0v7.5.0.1+16 more2017-09-26
CVE-2017-1530 [MEDIUM] CWE-79 CVE-2017-1530: IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross-site scripting. This vulnerabi
IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130409.
nvd
CVE-2017-1425MEDIUMCVSS 5.4v8.0.1.1v8.5.7.02017-09-26
CVE-2017-1425 [MEDIUM] CWE-79 CVE-2017-1425: IBM Business Process Manager 8.0.1.1 and 8.5.7 is vulnerable to cross-site scripting. This vulnerabi
IBM Business Process Manager 8.0.1.1 and 8.5.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127478.
nvd
CVE-2017-1424MEDIUMCVSS 5.4v8.5.7.02017-09-25
CVE-2017-1424 [MEDIUM] CWE-79 CVE-2017-1424: IBM Business Process Manager 8.5.7 is vulnerable to cross-site scripting. This vulnerability allows
IBM Business Process Manager 8.5.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127477.
nvd
CVE-2017-1346LOWCVSS 2.5v7.5.0.0v7.5.0.1+16 more2017-09-25
CVE-2017-1346 [LOW] CWE-200 CVE-2017-1346: IBM Business Process Manager 7.5, 8.0, and 8.5 temporarily stores files in a temporary folder during
IBM Business Process Manager 7.5, 8.0, and 8.5 temporarily stores files in a temporary folder during offline installs which could be read by a local user within a short timespan. IBM X-Force ID: 126461.
nvd
CVE-2015-0110MEDIUMCVSS 6.5v7.5.0.0v7.5.0.1+11 more2017-09-15
CVE-2015-0110 [MEDIUM] CWE-284 CVE-2015-0110: IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka W
IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL.
nvd
CVE-2015-0101MEDIUMCVSS 6.1v7.5v7.5.0.1+11 more2017-08-28
CVE-2015-0101 [MEDIUM] CWE-79 CVE-2015-0101: Cross-site scripting (XSS) vulnerability in IBM Business Process Manager Standard 7.5.x before 7.5,
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager Standard 7.5.x before 7.5, 8.0.x before 8.0.1, 8.5.x before 8.5.5; IBM Business Process Manager Express 7.5.x before 7.5, 8.0.x before 8.0.1, 8.5.x before 8.5.5; and IBM Business Process Manager Advanced 7.5.x before 7.5, 8.0.x before 8.0.1, 8.5.x before 8.5.5.
nvd
CVE-2017-1140MEDIUMCVSS 5.4v8.0.0.0v8.0.1.0+9 more2017-06-08
CVE-2017-1140 [MEDIUM] CWE-79 CVE-2017-1140: IBM Business Process Manager 8.0 and 8.5 are vulnerable to cross-site scripting. This vulnerability
IBM Business Process Manager 8.0 and 8.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
nvd
CVE-2017-1159MEDIUMCVSS 5.4v7.5.0.0v7.5.0.1+14 more2017-05-22
CVE-2017-1159 [MEDIUM] CWE-601 CVE-2017-1159: IBM Business Process Manager 8.0 and 8.5 could allow a remote attacker to conduct phishing attacks,
IBM Business Process Manager 8.0 and 8.5 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This co
nvd
CVE-2016-9693MEDIUMCVSS 6.1v7.5.0.0v7.5.0.1+15 more2017-03-07
CVE-2016-9693 [MEDIUM] CWE-20 CVE-2016-9693: IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to
IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considered executable and cause damage on the victim's machine. I
nvd
CVE-2016-9731MEDIUMCVSS 5.4v8.5.7.02017-02-01
CVE-2016-9731 [MEDIUM] CWE-79 CVE-2016-9731: IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users
IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
nvd
CVE-2016-3056MEDIUMCVSS 5.4v7.5.0.0v7.5.0.1+15 more2016-10-14
CVE-2016-3056 [MEDIUM] CWE-79 CVE-2016-3056: Cross-site scripting (XSS) vulnerability in Business Space in IBM Business Process Manager 7.5 throu
Cross-site scripting (XSS) vulnerability in Business Space in IBM Business Process Manager 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, and 8.5 before 8.5.7.0 CF2016.09 allows remote authenticated users to inject arbitrary web script or HTML via crafted content.
nvd
CVE-2016-5901MEDIUMCVSS 5.4v8.5.6.0v8.5.6.1+2 more2016-10-05
CVE-2016-5901 [MEDIUM] CWE-79 CVE-2016-5901: Cross-site scripting (XSS) vulnerability in a test page in IBM Business Process Manager Advanced 8.5
Cross-site scripting (XSS) vulnerability in a test page in IBM Business Process Manager Advanced 8.5.6.0 through 8.5.7.0 before cumulative fix 2016.09 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2016-0349MEDIUMCVSS 6.5v8.5.6.0v8.5.7.02016-06-30
CVE-2016-0349 [MEDIUM] CWE-284 CVE-2016-0349: IBM Business Process Manager 8.5.6 through 8.5.6.2 and 8.5.7 before 8.5.7.CF201606 allows remote aut
IBM Business Process Manager 8.5.6 through 8.5.6.2 and 8.5.7 before 8.5.7.CF201606 allows remote authenticated users to bypass intended access restrictions and update process-instance variables via a REST API call.
nvd
CVE-2015-7454MEDIUMCVSS 4.3v7.5.0.0v7.5.0.1+15 more2016-03-21
CVE-2015-7454 [MEDIUM] CWE-264 CVE-2015-7454: Business Space in IBM WebSphere Process Server 6.1.2.0 through 7.0.0.5 and Business Process Manager
Business Space in IBM WebSphere Process Server 6.1.2.0 through 7.0.0.5 and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0.x through 8.5.0.2, 8.5.5.x through 8.5.5.0, and 8.5.6.x through 8.5.6.2 allows remote authenticated users to bypass intended access restrictions and create an arbitrary page or space via unspec
nvd
CVE-2016-0227MEDIUMCVSS 5.4v8.0.0.0v8.0.1.0+9 more2016-03-03
CVE-2016-0227 [MEDIUM] CWE-79 CVE-2016-0227: Cross-site scripting (XSS) vulnerability in the document-list control implementation in IBM Business
Cross-site scripting (XSS) vulnerability in the document-list control implementation in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.2, and 8.5.5 and 8.5.6 through 8.5.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
nvd
CVE-2015-8524MEDIUMCVSS 6.1v8.5.0.0v8.5.0.1+4 more2016-02-29
CVE-2015-8524 [MEDIUM] CWE-79 CVE-2015-8524: Cross-site scripting (XSS) vulnerability in Process Portal in IBM Business Process Manager 8.5.0.x t
Cross-site scripting (XSS) vulnerability in Process Portal in IBM Business Process Manager 8.5.0.x through 8.5.0.2, 8.5.5.x through 8.5.5.0, and 8.5.6.x through 8.5.6.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
nvd
CVE-2015-7441MEDIUMCVSS 6.8v7.5.0.0v7.5.0.1+14 more2016-01-01
CVE-2015-7441 [MEDIUM] CWE-17 CVE-2015-7441: Remote Artifact Loader (RAL) in IBM WebSphere Process Server 7 and Business Process Manager Advanced
Remote Artifact Loader (RAL) in IBM WebSphere Process Server 7 and Business Process Manager Advanced 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.2, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.2 does not properly use SSL for its HTTPS connection, which allows remote authenticated users to obtain sensitive information or modify data
nvd