CVE-2023-24957 : IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.

IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 246115.

Published 2023-05-06 03:15:09

Updated 2025-01-29 16:15:39

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-24957

IBM » Business Automation Workflow
Versions from including (>=) 19.0.0.1 and up to, including, (<=) 19.0.0.3
cpe:2.3:a:ibm:business_automation_workflow:*:*:*:*:*:*:*:*
Matching versions
IBM » Business Automation Workflow » Containers Edition
Versions from including (>=) 20.0.0.1 and before (<) 21.0.3
cpe:2.3:a:ibm:business_automation_workflow:*:*:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Containers Edition
Versions from including (>=) 22.0.1 and before (<) 22.0.2
cpe:2.3:a:ibm:business_automation_workflow:*:*:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Traditional Edition
Versions from including (>=) 21.0.1 and up to, including, (<=) 21.0.3.1
cpe:2.3:a:ibm:business_automation_workflow:*:*:*:*:traditional:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 18.0.0.0
cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:-:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 18.0.0.1
cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:-:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 18.0.0.2
cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:-:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If011 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if011:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If010 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if010:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If009 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if009:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If008 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if008:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If007 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if007:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If006 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if006:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If005 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if005:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If002 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if002:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 20.0.0.1 Traditional Edition
cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 20.0.0.2 Traditional Edition
cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 22.0.1 Traditional Edition
cpe:2.3:a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If012 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if012:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If013 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if013:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If014 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if014:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 22.0.2 Traditional Edition
cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:traditional:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 22.0.2 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:22.0.2:-:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 22.0.2 Update If001 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:22.0.2:if001:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If015 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if015:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If016 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if016:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Update If017 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:if017:*:*:containers:*:*:*
Matching versions
IBM » Business Automation Workflow » Version: 21.0.3 Containers Edition
cpe:2.3:a:ibm:business_automation_workflow:21.0.3:-:*:*:containers:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-24957

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-24957

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-29
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	IBM Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2023-24957

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)
- psirt@us.ibm.com (Primary)

References for CVE-2023-24957

https://exchange.xforce.ibmcloud.com/vulnerabilities/246115

IBM Business Automation Workflow cross-site scripting CVE-2023-24957 Vulnerability Report
VDB Entry;Vendor Advisory
https://www.ibm.com/support/pages/node/6965776

Security Bulletin: Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow - CVE-2023-24957
Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-24957

Products affected by CVE-2023-24957

Exploit prediction scoring system (EPSS) score for CVE-2023-24957

CVSS scores for CVE-2023-24957

CWE ids for CVE-2023-24957

References for CVE-2023-24957