CVE-2015-1961

IBM Business Process Manager 7.5.x-8.5.6.0 - Authenticated Arbitrary JavaScript Execution via REST API

Title source: llm
STIX 2.1

Description

The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via an unspecified API call.

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21959052
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1032972
Patch, Vendor Advisory vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1JR53356
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/75536

Scores

EPSS 0.0241
EPSS Percentile 82.1%

Details

CWE
CWE-284
Status published
Products (13)
ibm/business_process_manager 7.5.0.0 (3 CPE variants)
ibm/business_process_manager 7.5.0.1 (3 CPE variants)
ibm/business_process_manager 7.5.1.0 (3 CPE variants)
ibm/business_process_manager 7.5.1.1 (3 CPE variants)
ibm/business_process_manager 8.0.0.0 (3 CPE variants)
ibm/business_process_manager 8.0.1.0 (3 CPE variants)
ibm/business_process_manager 8.0.1.1 (3 CPE variants)
ibm/business_process_manager 8.0.1.2 (3 CPE variants)
ibm/business_process_manager 8.0.1.3 (3 CPE variants)
ibm/business_process_manager 8.5.0.0 (3 CPE variants)
... and 3 more
Published Jul 13, 2015
Tracked Since Feb 18, 2026