CVE-2016-3056

high-risk

Published 2016-10-14

Cross-site scripting (XSS) vulnerability in Business Space in IBM Business Process Manager 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, and 8.5 before 8.5.7.0 CF2016.09 allows remote authenticated users to inject arbitrary web script or HTML via crafted content.

Do I need to act?

-

0.24% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

5

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Business Process Manager

Affected Vendors

Ibm

References (6)

Patch http://www-01.ibm.com/support/docview.wss?uid=swg1JR56300

Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21990850

http://www.securityfocus.com/bid/93405

Patch http://www-01.ibm.com/support/docview.wss?uid=swg1JR56300

Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21990850

http://www.securityfocus.com/bid/93405

50

/ 100

high-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 28/34 · Critical