Vulnerability Details : CVE-2014-8914
Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8913.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2014-8914
- cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8914
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8914
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2014-8914
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8914
-
http://www.securitytracker.com/id/1031614
IBM Business Process Manager Input Validation Flaws in Process Portal Permit Cross-Site Scripting Attacks - SecurityTracker
-
http://www-01.ibm.com/support/docview.wss?uid=swg1JR51836
IBM JR51836: SECURITY APAR CVE-2014-8914 - SCRIPT INJECTION VULNERABILITY OCCURS WHEN YOU START A PROCESS IN IBM PROCESS PORTALPatch;Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg21693239
IBM Security Bulletin: Cross-site scripting vulnerabilities in IBM Business Process Manager (BPM) Process Portal (CVE-2014-8913, CVE-2014-8914)Patch;Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/99285
IBM Business Process Manager cross-site scripting CVE-2014-8914 Vulnerability Report
-
http://www-01.ibm.com/support/docview.wss?uid=swg1JR52103
IBM JR52103: WITH JR49924 FIX INSTALLED, SETTING THE START PAGE TO A DASHBOARD IN IBM PROCESS PORTAL DOES NOT WORK CORRECTLYPatch;Vendor Advisory
Jump to