CVE-2015-1961

Опубликовано: 13 июл. 2015

Источник: nvd

CVSS2: 9

EPSS Низкий

Описание

The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via an unspecified API call.

Ссылки

http://www-01.ibm.com/support/docview.wss?uid=swg1JR53356
Patch
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21959052
Patch
Vendor Advisory
http://www.securityfocus.com/bid/75536
http://www.securitytracker.com/id/1032972
http://www-01.ibm.com/support/docview.wss?uid=swg1JR53356
Patch
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21959052
Patch
Vendor Advisory
http://www.securityfocus.com/bid/75536
http://www.securitytracker.com/id/1032972

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:standard:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:advanced:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:express:*:*:*

cpe:2.3:a:ibm:business_process_manager:8.5.6.0:*:*:*:standard:*:*:*

EPSS

Процентиль: 44%

0.00216

Низкий

9 Critical

CVSS2

Дефекты

CWE-284

Связанные уязвимости

GHSA-8v4h-q88f-qv58

github

больше 3 лет назад

BDU:2015-10826

fstec

больше 10 лет назад

Уязвимость системы автоматизации деятельности предприятия Business Process Manager, позволяющая нарушителю обойти существующие ограничения доступа и выполнить произвольный Java-скрипт