Vulnerability Details : CVE-2019-4149
IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 and IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03, V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06, and V8.5.6.0 through V8.5.6.0 CF2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 158415.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-4149
- cpe:2.3:a:ibm:business_process_manager:8.5.6.0:cf1:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.6.0:cf2:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.6.0.0:cf201803:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.7.0:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.7.0:cf201706:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.6.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.6.0:-:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.6.0.0:cf201712:*:*:*:*:*:*
- IBM » Business Automation WorkflowVersions from including (>=) 18.0.0.0 and up to, including, (<=) 18.0.0.2cpe:2.3:a:ibm:business_automation_workflow:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-4149
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 17 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-4149
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
IBM Corporation | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2019-4149
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-4149
-
https://www.ibm.com/support/docview.wss?uid=ibm10885104
Security Bulletin: Cross-site scripting vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4149)Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/158415
IBM Business Automation Workflow cross-site scripting CVE-2019-4149 Vulnerability ReportVDB Entry;Vendor Advisory
Jump to