Search

Find a vulnerability

Search criteria

    84 vulnerabilities found for Business Automation Workflow by IBM

    CVE-2024-54179 (GCVE-0-2024-54179)

    Vulnerability from nvd – Published: 2025-03-03 13:56 – Updated: 2025-09-01 01:10
    VLAI
    Title
    IBM Business Automation Workflow cross-site scripting
    Summary
    IBM Business Automation Workflow and IBM Business Automation Workflow Enterprise Service Bus 24.0.0, 24.0.1 and earlier unsupported versions are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7184647 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 24.0.0
    Affected: 24.0.1
    Create a notification for this product.
    IBM Business Automation Workflow Enterprise Service Bus Affected: 24.0.0, 24.0.1
        cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:enterprise_service_bus:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:enterprise_service_bus:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-54179",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-03T14:21:46.003265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-03T14:21:56.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "24.0.0"
                },
                {
                  "status": "affected",
                  "version": "24.0.1"
                }
              ]
            },
            {
              "cpes": [
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:enterprise_service_bus:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:enterprise_service_bus:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow Enterprise Service Bus",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "24.0.0, 24.0.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow and IBM Business Automation Workflow Enterprise Service Bus 24.0.0, 24.0.1 and earlier unsupported versions are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
                }
              ],
              "value": "IBM Business Automation Workflow and IBM Business Automation Workflow Enterprise Service Bus 24.0.0, 24.0.1 and earlier unsupported versions are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-01T01:10:19.247Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7184647"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2024-54179",
        "datePublished": "2025-03-03T13:56:50.099Z",
        "dateReserved": "2024-11-30T14:47:55.533Z",
        "dateUpdated": "2025-09-01T01:10:19.247Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-43188 (GCVE-0-2024-43188)

    Vulnerability from nvd – Published: 2024-09-18 11:39 – Updated: 2024-09-18 16:40
    VLAI
    Title
    IBM Business Automation Workflow improper input validation
    Summary
    IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-602 - Client-Side Enforcement of Server-Side Security
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 22.0.2, 23.0.1, 23.0.2, 24.0.0
        cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:-:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-43188",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-18T13:23:48.735450Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-18T13:23:58.053Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:-:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "22.0.2, 23.0.1, 23.0.2, 24.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Business Automation Workflow \n\n\u003cspan style=\"background-color: rgb(244, 244, 244);\"\u003e22.0.2, 23.0.1, 23.0.2, and 24.0.0\u003c/span\u003e\n\ncould allow a privileged user to perform unauthorized activities due to improper client side validation.\u003c/span\u003e"
                }
              ],
              "value": "IBM Business Automation Workflow \n\n22.0.2, 23.0.1, 23.0.2, and 24.0.0\n\ncould allow a privileged user to perform unauthorized activities due to improper client side validation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-602",
                  "description": "CWE-602 Client-Side Enforcement of Server-Side Security",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-18T16:40:53.717Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/7168769"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow improper input validation",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2024-43188",
        "datePublished": "2024-09-18T11:39:22.958Z",
        "dateReserved": "2024-08-07T13:29:34.029Z",
        "dateUpdated": "2024-09-18T16:40:53.717Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-38321 (GCVE-0-2024-38321)

    Vulnerability from nvd – Published: 2024-08-03 13:34 – Updated: 2024-08-03 18:49
    VLAI
    Title
    IBM Business Automation Workflow information disclosure
    Summary
    IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user. IBM X-Force ID: 284868.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 22.0.2, 23.0.1, 23.0.2, 24.0.0
        cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:-:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-38321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-03T18:49:18.410755Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:49:24.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:-:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "22.0.2, 23.0.1, 23.0.2, 24.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user.  IBM X-Force ID:  284868."
                }
              ],
              "value": "IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user.  IBM X-Force ID:  284868."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-03T13:34:16.845Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/7162334"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294868"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow information disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2024-38321",
        "datePublished": "2024-08-03T13:34:16.845Z",
        "dateReserved": "2024-06-13T21:43:46.667Z",
        "dateUpdated": "2024-08-03T18:49:24.893Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50947 (GCVE-0-2023-50947)

    Vulnerability from nvd – Published: 2024-02-04 00:11 – Updated: 2024-08-22 17:41
    VLAI
    Title
    IBM Business Automation Workflow cross-site scripting
    Summary
    IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 275665.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 22.0.2, 23.0.1, 23.0.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:23:44.041Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/7114419"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/7114430"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275665"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50947",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-22T17:40:47.403078Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-22T17:41:47.983Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "22.0.2, 23.0.1, 23.0.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  275665."
                }
              ],
              "value": "IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  275665."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-04T00:11:02.465Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/7114419"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/7114430"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275665"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2023-50947",
        "datePublished": "2024-02-04T00:11:02.465Z",
        "dateReserved": "2023-12-16T19:35:35.358Z",
        "dateUpdated": "2024-08-22T17:41:47.983Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32339 (GCVE-0-2023-32339)

    Vulnerability from nvd – Published: 2023-06-27 16:57 – Updated: 2024-11-06 20:43
    VLAI
    Title
    IBM Business Automation Workflow cross-site scripting
    Summary
    IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 255587.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 19.0.0.1 , ≤ 19.0.0.3 (semver)
    Affected: 20.0.0.1 , ≤ 20.0.0.2 (semver)
    Affected: 21.0.1 , ≤ 21.0.3.1 (semver)
    Affected: 21.0.1 , ≤ 22.0.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:10:24.941Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://https://www.ibm.com/support/pages/node/7001291"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://https://www.ibm.com/support/pages/node/6998727"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6998727"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32339",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-06T20:42:49.082015Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-06T20:43:01.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0.3",
                  "status": "affected",
                  "version": "19.0.0.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "20.0.0.2",
                  "status": "affected",
                  "version": "20.0.0.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "21.0.3.1",
                  "status": "affected",
                  "version": "21.0.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.0.2",
                  "status": "affected",
                  "version": "21.0.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  255587."
                }
              ],
              "value": "IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  255587."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-27T16:57:53.458Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://https://www.ibm.com/support/pages/node/7001291"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://https://www.ibm.com/support/pages/node/6998727"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://www.ibm.com/support/pages/node/6998727"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2023-32339",
        "datePublished": "2023-06-27T16:57:53.458Z",
        "dateReserved": "2023-05-08T18:32:52.654Z",
        "dateUpdated": "2024-11-06T20:43:01.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-24957 (GCVE-0-2023-24957)

    Vulnerability from nvd – Published: 2023-05-06 02:05 – Updated: 2025-01-29 16:06
    VLAI
    Title
    IBM Business Automation Workflow cross-site scripting
    Summary
    IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 246115.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, 22.0.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:11:43.746Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6965776"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/246115"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-24957",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-29T16:04:42.276083Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-29T16:06:32.818Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, 22.0.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  246115."
                }
              ],
              "value": "IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  246115."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-06T02:05:46.959Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/6965776"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/246115"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2023-24957",
        "datePublished": "2023-05-06T02:05:46.959Z",
        "dateReserved": "2023-02-01T02:39:37.386Z",
        "dateUpdated": "2025-01-29T16:06:32.818Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-42435 (GCVE-0-2022-42435)

    Vulnerability from nvd – Published: 2023-01-03 23:16 – Updated: 2025-04-10 14:36
    VLAI
    Title
    IBM Business Automation Workflow cross-site request forgery
    Summary
    IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T13:10:41.010Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6852217"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/238054"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-42435",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-10T14:36:08.900745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-10T14:36:21.653Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0,   18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003eIBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.\u003c/span\u003e\n\n"
                }
              ],
              "value": "\nIBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-03T23:16:13.875Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/6852217"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/238054"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site request forgery",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2022-42435",
        "datePublished": "2023-01-03T23:16:13.875Z",
        "dateReserved": "2022-10-06T15:51:26.497Z",
        "dateUpdated": "2025-04-10T14:36:21.653Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-38390 (GCVE-0-2022-38390)

    Vulnerability from nvd – Published: 2022-11-17 16:48 – Updated: 2025-04-29 13:46
    VLAI
    Summary
    Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 233978.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 22.0.1
    Affected: 21.0.1 , < 21.0.3.1 (custom)
    Affected: 20.0.0.1 , < 20.0.0.2 (custom)
    Affected: 19.0.0.1 , < 19.0.0.3 (custom)
    Affected: 18.0.0.0 , < 18.0.0.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:54:03.745Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6839847"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233978"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-38390",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-29T13:46:19.799908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-29T13:46:49.770Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "22.0.1"
                },
                {
                  "lessThan": "21.0.3.1",
                  "status": "affected",
                  "version": "21.0.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "20.0.0.2",
                  "status": "affected",
                  "version": "20.0.0.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "19.0.0.3",
                  "status": "affected",
                  "version": "19.0.0.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "18.0.0.2",
                  "status": "affected",
                  "version": "18.0.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  233978."
                }
              ],
              "value": "Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  233978."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-17T16:48:11.088Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/6839847"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233978"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2022-38390",
        "datePublished": "2022-11-17T16:48:11.088Z",
        "dateReserved": "2022-08-16T18:42:49.433Z",
        "dateUpdated": "2025-04-29T13:46:49.770Z",
        "requesterUserId": "69938c14-a5a2-41ac-a450-71ed41911136",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22361 (GCVE-0-2022-22361)

    Vulnerability from nvd – Published: 2022-05-31 15:45 – Updated: 2024-09-16 19:30
    VLAI
    Summary
    IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
    CWE
    • Gain Access
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Process Manager Affected: 8.6.0.0
    Affected: 8.5.0.0
    Affected: 8.5.0.201706
    Affected: 8.6.0.201803
    Create a notification for this product.
    IBM Business Automation Workflow Affected: 18.0.0.0
    Affected: 18.0.0.1
    Affected: 19.0.0.1
    Affected: 19.0.0.3
    Affected: 20.0.0.1
    Affected: 20.0.0.2
    Affected: 21.0.3
    Affected: 21.0.1
    Create a notification for this product.
    Date Public
    2022-05-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:14:54.839Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6590411"
              },
              {
                "name": "ibm-baw-cve202222361-csrf (220784)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220784"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Process Manager",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.6.0.0"
                },
                {
                  "status": "affected",
                  "version": "8.5.0.0"
                },
                {
                  "status": "affected",
                  "version": "8.5.0.201706"
                },
                {
                  "status": "affected",
                  "version": "8.6.0.201803"
                }
              ]
            },
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.3"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.3"
                },
                {
                  "status": "affected",
                  "version": "21.0.1"
                }
              ]
            }
          ],
          "datePublic": "2022-05-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 3.8,
                "temporalSeverity": "LOW",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/PR:N/S:U/C:N/A:N/AC:L/AV:N/UI:R/I:L/RC:C/RL:O/E:U",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Gain Access",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-31T15:45:13.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6590411"
            },
            {
              "name": "ibm-baw-cve202222361-csrf (220784)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220784"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2022-05-27T00:00:00",
              "ID": "CVE-2022-22361",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Process Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "8.6.0.0"
                              },
                              {
                                "version_value": "8.5.0.0"
                              },
                              {
                                "version_value": "8.5.0.201706"
                              },
                              {
                                "version_value": "8.6.0.201803"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0.0.0"
                              },
                              {
                                "version_value": "18.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.3"
                              },
                              {
                                "version_value": "20.0.0.1"
                              },
                              {
                                "version_value": "20.0.0.2"
                              },
                              {
                                "version_value": "21.0.3"
                              },
                              {
                                "version_value": "21.0.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "N",
                  "I": "L",
                  "PR": "N",
                  "S": "U",
                  "UI": "R"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Gain Access"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6590411",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6590411 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6590411"
                },
                {
                  "name": "ibm-baw-cve202222361-csrf (220784)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220784"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2022-22361",
        "datePublished": "2022-05-31T15:45:13.828Z",
        "dateReserved": "2022-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:30:44.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-39046 (GCVE-0-2021-39046)

    Vulnerability from nvd – Published: 2022-03-18 15:40 – Updated: 2024-09-16 22:02
    VLAI
    Summary
    IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346.
    CWE
    • Obtain Information
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0.0
    Affected: 18.0.0.1
    Affected: 18.0.0.2
    Affected: 19.0.0.1
    Affected: 19.0.0.2
    Affected: 19.0.0.3
    Affected: 20.0.0.1
    Affected: 20.0.0.2
    Affected: 21.0.2
    Affected: 21.0.3
    Create a notification for this product.
    IBM Business Process Manager Affected: 8.5
    Affected: 8.6
    Create a notification for this product.
    Date Public
    2022-03-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:58:17.584Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6564387"
              },
              {
                "name": "ibm-baw-cve202139046-info-disc (214346)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214346"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.3"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.3"
                }
              ]
            },
            {
              "product": "Business Process Manager",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.5"
                },
                {
                  "status": "affected",
                  "version": "8.6"
                }
              ]
            }
          ],
          "datePublic": "2022-03-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 4.3,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/I:N/PR:H/AC:L/S:U/AV:N/A:N/UI:N/C:H/E:U/RL:O/RC:C",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Obtain Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-18T15:40:16.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6564387"
            },
            {
              "name": "ibm-baw-cve202139046-info-disc (214346)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214346"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2022-03-17T00:00:00",
              "ID": "CVE-2021-39046",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0.0.0"
                              },
                              {
                                "version_value": "18.0.0.1"
                              },
                              {
                                "version_value": "18.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.3"
                              },
                              {
                                "version_value": "20.0.0.1"
                              },
                              {
                                "version_value": "20.0.0.2"
                              },
                              {
                                "version_value": "21.0.2"
                              },
                              {
                                "version_value": "21.0.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Business Process Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "8.5"
                              },
                              {
                                "version_value": "8.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "N",
                  "PR": "H",
                  "S": "U",
                  "UI": "N"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Obtain Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6564387",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6564387 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6564387"
                },
                {
                  "name": "ibm-baw-cve202139046-info-disc (214346)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214346"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-39046",
        "datePublished": "2022-03-18T15:40:16.124Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:02:31.526Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38900 (GCVE-0-2021-38900)

    Vulnerability from nvd – Published: 2021-12-21 19:10 – Updated: 2024-09-17 01:40
    VLAI
    Summary
    IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607.
    CWE
    • Obtain Information
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0.0
    Affected: 18.0.0.1
    Affected: 18.0.0.2
    Affected: 19.0.0.1
    Affected: 19.0.0.2
    Affected: 19.0.0.3
    Affected: 20.0.0.1
    Affected: 20.0.0.2
    Affected: 21.0.2
    Create a notification for this product.
    IBM Cloud Pak for Automation Affected: 21.0.2
    Create a notification for this product.
    Date Public
    2021-12-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:51:20.879Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6527776"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6528296"
              },
              {
                "name": "ibm-baw-cve202138900-info-disc (209607)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.3"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.2"
                }
              ]
            },
            {
              "product": "Cloud Pak for Automation",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.0.2"
                }
              ]
            }
          ],
          "datePublic": "2021-12-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 4.3,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/A:N/AV:N/AC:L/UI:N/S:U/C:H/PR:H/I:N/RC:C/E:U/RL:O",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Obtain Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-21T19:10:15.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6527776"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6528296"
            },
            {
              "name": "ibm-baw-cve202138900-info-disc (209607)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-12-20T00:00:00",
              "ID": "CVE-2021-38900",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0.0.0"
                              },
                              {
                                "version_value": "18.0.0.1"
                              },
                              {
                                "version_value": "18.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.3"
                              },
                              {
                                "version_value": "20.0.0.1"
                              },
                              {
                                "version_value": "20.0.0.2"
                              },
                              {
                                "version_value": "21.0.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Cloud Pak for Automation",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "21.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "N",
                  "PR": "H",
                  "S": "U",
                  "UI": "N"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Obtain Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6527776",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6527776 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6527776"
                },
                {
                  "name": "https://www.ibm.com/support/pages/node/6528296",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6528296 (Cloud Pak for Automation)",
                  "url": "https://www.ibm.com/support/pages/node/6528296"
                },
                {
                  "name": "ibm-baw-cve202138900-info-disc (209607)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-38900",
        "datePublished": "2021-12-21T19:10:16.020Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:40:57.148Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38883 (GCVE-0-2021-38883)

    Vulnerability from nvd – Published: 2021-12-17 17:05 – Updated: 2024-09-16 19:25
    VLAI
    Summary
    IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209165.
    CWE
    • Cross-Site Scripting
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Process Manager Affected: 8.5
    Affected: 8.6
    Create a notification for this product.
    IBM Business Automation Workflow Affected: 19.0.0
    Affected: 20.0.0
    Affected: 21.0
    Affected: 18.0.0
    Create a notification for this product.
    Date Public
    2021-12-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:51:20.883Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6527270"
              },
              {
                "name": "ibm-baw-cve202138883-xss (209165)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209165"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Process Manager",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.5"
                },
                {
                  "status": "affected",
                  "version": "8.6"
                }
              ]
            },
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "19.0.0"
                },
                {
                  "status": "affected",
                  "version": "20.0.0"
                },
                {
                  "status": "affected",
                  "version": "21.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0"
                }
              ]
            }
          ],
          "datePublic": "2021-12-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209165."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "CHANGED",
                "temporalScore": 5.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/UI:R/S:C/AC:L/I:L/PR:L/A:N/AV:N/C:L/RL:O/RC:C/E:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-17T17:05:11.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6527270"
            },
            {
              "name": "ibm-baw-cve202138883-xss (209165)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209165"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-12-16T00:00:00",
              "ID": "CVE-2021-38883",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Process Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "8.5"
                              },
                              {
                                "version_value": "8.6"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "19.0.0"
                              },
                              {
                                "version_value": "20.0.0"
                              },
                              {
                                "version_value": "21.0"
                              },
                              {
                                "version_value": "18.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209165."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "L",
                  "I": "L",
                  "PR": "L",
                  "S": "C",
                  "UI": "R"
                },
                "TM": {
                  "E": "H",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6527270",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6527270 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6527270"
                },
                {
                  "name": "ibm-baw-cve202138883-xss (209165)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209165"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-38883",
        "datePublished": "2021-12-17T17:05:11.690Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:25:14.421Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29753 (GCVE-0-2021-29753)

    Vulnerability from nvd – Published: 2021-11-05 17:15 – Updated: 2024-09-17 02:42
    VLAI
    Summary
    IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
    CWE
    • Obtain Information
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Process Manager Affected: 8.5
    Affected: 8.6
    Create a notification for this product.
    IBM Business Automation Workflow Affected: 18.0
    Affected: 19.0
    Affected: 20.0
    Affected: 21.0
    Create a notification for this product.
    Date Public
    2021-11-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:18:02.454Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6513703"
              },
              {
                "name": "ibm-baw-cve202129753-info-disc (201919)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201919"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Process Manager",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.5"
                },
                {
                  "status": "affected",
                  "version": "8.6"
                }
              ]
            },
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0"
                },
                {
                  "status": "affected",
                  "version": "19.0"
                },
                {
                  "status": "affected",
                  "version": "20.0"
                },
                {
                  "status": "affected",
                  "version": "21.0"
                }
              ]
            }
          ],
          "datePublic": "2021-11-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 5.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/PR:N/C:H/S:U/AV:N/UI:N/A:N/AC:H/I:N/RC:C/RL:O/E:U",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Obtain Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-05T17:15:11.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6513703"
            },
            {
              "name": "ibm-baw-cve202129753-info-disc (201919)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201919"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-11-04T00:00:00",
              "ID": "CVE-2021-29753",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Process Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "8.5"
                              },
                              {
                                "version_value": "8.6"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0"
                              },
                              {
                                "version_value": "19.0"
                              },
                              {
                                "version_value": "20.0"
                              },
                              {
                                "version_value": "21.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "H",
                  "AV": "N",
                  "C": "H",
                  "I": "N",
                  "PR": "N",
                  "S": "U",
                  "UI": "N"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Obtain Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6513703",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6513703 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6513703"
                },
                {
                  "name": "ibm-baw-cve202129753-info-disc (201919)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201919"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-29753",
        "datePublished": "2021-11-05T17:15:11.376Z",
        "dateReserved": "2021-03-31T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:42:34.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29835 (GCVE-0-2021-29835)

    Vulnerability from nvd – Published: 2021-10-22 19:00 – Updated: 2024-09-16 16:28
    VLAI
    Summary
    IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833.
    CWE
    • Cross-Site Scripting
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0
    Affected: 19.0
    Affected: 20.0
    Affected: 21.0
    Create a notification for this product.
    Date Public
    2021-10-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:18:03.150Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6507319"
              },
              {
                "name": "ibm-baw-cve202129835-xss (204833)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/204833"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0"
                },
                {
                  "status": "affected",
                  "version": "19.0"
                },
                {
                  "status": "affected",
                  "version": "20.0"
                },
                {
                  "status": "affected",
                  "version": "21.0"
                }
              ]
            }
          ],
          "datePublic": "2021-10-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "CHANGED",
                "temporalScore": 4.7,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/C:L/PR:L/UI:R/S:C/A:N/AV:N/I:L/AC:L/RL:O/E:U/RC:C",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-22T19:00:12.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6507319"
            },
            {
              "name": "ibm-baw-cve202129835-xss (204833)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/204833"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-10-21T00:00:00",
              "ID": "CVE-2021-29835",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0"
                              },
                              {
                                "version_value": "19.0"
                              },
                              {
                                "version_value": "20.0"
                              },
                              {
                                "version_value": "21.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "L",
                  "I": "L",
                  "PR": "L",
                  "S": "C",
                  "UI": "R"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6507319",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6507319 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6507319"
                },
                {
                  "name": "ibm-baw-cve202129835-xss (204833)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/204833"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-29835",
        "datePublished": "2021-10-22T19:00:12.252Z",
        "dateReserved": "2021-03-31T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:28:45.527Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29878 (GCVE-0-2021-29878)

    Vulnerability from nvd – Published: 2021-10-18 16:35 – Updated: 2024-09-17 01:36
    VLAI
    Summary
    IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 206581.
    CWE
    • Cross-Site Scripting
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0.0
    Affected: 18.0.0.1
    Affected: 18.0.0.2
    Affected: 19.0.0.1
    Affected: 19.0.0.2
    Affected: 19.0.0.3
    Affected: 20.0.0.1
    Affected: 20.0.0.2
    Affected: 21.0.2
    Create a notification for this product.
    Date Public
    2021-10-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:18:03.192Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6501949"
              },
              {
                "name": "ibm-baw-cve202129878-xss (206581)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206581"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.3"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.2"
                }
              ]
            }
          ],
          "datePublic": "2021-10-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 206581."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "CHANGED",
                "temporalScore": 5.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/A:N/UI:R/PR:L/I:L/S:C/AV:N/C:L/AC:L/RL:O/RC:C/E:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-18T16:35:11.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6501949"
            },
            {
              "name": "ibm-baw-cve202129878-xss (206581)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206581"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-10-15T00:00:00",
              "ID": "CVE-2021-29878",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0.0.0"
                              },
                              {
                                "version_value": "18.0.0.1"
                              },
                              {
                                "version_value": "18.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.3"
                              },
                              {
                                "version_value": "20.0.0.1"
                              },
                              {
                                "version_value": "20.0.0.2"
                              },
                              {
                                "version_value": "21.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 206581."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "L",
                  "I": "L",
                  "PR": "L",
                  "S": "C",
                  "UI": "R"
                },
                "TM": {
                  "E": "H",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6501949",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6501949 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6501949"
                },
                {
                  "name": "ibm-baw-cve202129878-xss (206581)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206581"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-29878",
        "datePublished": "2021-10-18T16:35:11.354Z",
        "dateReserved": "2021-03-31T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:36:37.802Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-54179 (GCVE-0-2024-54179)

    Vulnerability from cvelistv5 – Published: 2025-03-03 13:56 – Updated: 2025-09-01 01:10
    VLAI
    Title
    IBM Business Automation Workflow cross-site scripting
    Summary
    IBM Business Automation Workflow and IBM Business Automation Workflow Enterprise Service Bus 24.0.0, 24.0.1 and earlier unsupported versions are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    ibm
    References
    URL Tags
    https://www.ibm.com/support/pages/node/7184647 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 24.0.0
    Affected: 24.0.1
    Create a notification for this product.
    IBM Business Automation Workflow Enterprise Service Bus Affected: 24.0.0, 24.0.1
        cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:enterprise_service_bus:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:enterprise_service_bus:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-54179",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-03T14:21:46.003265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-03T14:21:56.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "24.0.0"
                },
                {
                  "status": "affected",
                  "version": "24.0.1"
                }
              ]
            },
            {
              "cpes": [
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:traditional:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:traditional:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:enterprise_service_bus:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.1:*:*:*:enterprise_service_bus:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow Enterprise Service Bus",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "24.0.0, 24.0.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow and IBM Business Automation Workflow Enterprise Service Bus 24.0.0, 24.0.1 and earlier unsupported versions are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
                }
              ],
              "value": "IBM Business Automation Workflow and IBM Business Automation Workflow Enterprise Service Bus 24.0.0, 24.0.1 and earlier unsupported versions are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-01T01:10:19.247Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://www.ibm.com/support/pages/node/7184647"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2024-54179",
        "datePublished": "2025-03-03T13:56:50.099Z",
        "dateReserved": "2024-11-30T14:47:55.533Z",
        "dateUpdated": "2025-09-01T01:10:19.247Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-43188 (GCVE-0-2024-43188)

    Vulnerability from cvelistv5 – Published: 2024-09-18 11:39 – Updated: 2024-09-18 16:40
    VLAI
    Title
    IBM Business Automation Workflow improper input validation
    Summary
    IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-602 - Client-Side Enforcement of Server-Side Security
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 22.0.2, 23.0.1, 23.0.2, 24.0.0
        cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:-:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-43188",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-18T13:23:48.735450Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-18T13:23:58.053Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:-:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "22.0.2, 23.0.1, 23.0.2, 24.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Business Automation Workflow \n\n\u003cspan style=\"background-color: rgb(244, 244, 244);\"\u003e22.0.2, 23.0.1, 23.0.2, and 24.0.0\u003c/span\u003e\n\ncould allow a privileged user to perform unauthorized activities due to improper client side validation.\u003c/span\u003e"
                }
              ],
              "value": "IBM Business Automation Workflow \n\n22.0.2, 23.0.1, 23.0.2, and 24.0.0\n\ncould allow a privileged user to perform unauthorized activities due to improper client side validation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-602",
                  "description": "CWE-602 Client-Side Enforcement of Server-Side Security",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-18T16:40:53.717Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/7168769"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow improper input validation",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2024-43188",
        "datePublished": "2024-09-18T11:39:22.958Z",
        "dateReserved": "2024-08-07T13:29:34.029Z",
        "dateUpdated": "2024-09-18T16:40:53.717Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-38321 (GCVE-0-2024-38321)

    Vulnerability from cvelistv5 – Published: 2024-08-03 13:34 – Updated: 2024-08-03 18:49
    VLAI
    Title
    IBM Business Automation Workflow information disclosure
    Summary
    IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user. IBM X-Force ID: 284868.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 22.0.2, 23.0.1, 23.0.2, 24.0.0
        cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:-:*:*:*
        cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:-:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-38321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-03T18:49:18.410755Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:49:24.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:-:*:*:*",
                "cpe:2.3:a:ibm:business_automation_workflow:24.0.0:*:*:*:-:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "22.0.2, 23.0.1, 23.0.2, 24.0.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user.  IBM X-Force ID:  284868."
                }
              ],
              "value": "IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations that could be read by an authenticated user.  IBM X-Force ID:  284868."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-03T13:34:16.845Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/7162334"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294868"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow information disclosure",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2024-38321",
        "datePublished": "2024-08-03T13:34:16.845Z",
        "dateReserved": "2024-06-13T21:43:46.667Z",
        "dateUpdated": "2024-08-03T18:49:24.893Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50947 (GCVE-0-2023-50947)

    Vulnerability from cvelistv5 – Published: 2024-02-04 00:11 – Updated: 2024-08-22 17:41
    VLAI
    Title
    IBM Business Automation Workflow cross-site scripting
    Summary
    IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 275665.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 22.0.2, 23.0.1, 23.0.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:23:44.041Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/7114419"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/7114430"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275665"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50947",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-22T17:40:47.403078Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-22T17:41:47.983Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "22.0.2, 23.0.1, 23.0.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  275665."
                }
              ],
              "value": "IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  275665."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-04T00:11:02.465Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/7114419"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/7114430"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275665"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2023-50947",
        "datePublished": "2024-02-04T00:11:02.465Z",
        "dateReserved": "2023-12-16T19:35:35.358Z",
        "dateUpdated": "2024-08-22T17:41:47.983Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32339 (GCVE-0-2023-32339)

    Vulnerability from cvelistv5 – Published: 2023-06-27 16:57 – Updated: 2024-11-06 20:43
    VLAI
    Title
    IBM Business Automation Workflow cross-site scripting
    Summary
    IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 255587.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 19.0.0.1 , ≤ 19.0.0.3 (semver)
    Affected: 20.0.0.1 , ≤ 20.0.0.2 (semver)
    Affected: 21.0.1 , ≤ 21.0.3.1 (semver)
    Affected: 21.0.1 , ≤ 22.0.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:10:24.941Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://https://www.ibm.com/support/pages/node/7001291"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://https://www.ibm.com/support/pages/node/6998727"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6998727"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32339",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-06T20:42:49.082015Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-06T20:43:01.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0.3",
                  "status": "affected",
                  "version": "19.0.0.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "20.0.0.2",
                  "status": "affected",
                  "version": "20.0.0.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "21.0.3.1",
                  "status": "affected",
                  "version": "21.0.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.0.2",
                  "status": "affected",
                  "version": "21.0.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  255587."
                }
              ],
              "value": "IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  255587."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-27T16:57:53.458Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://https://www.ibm.com/support/pages/node/7001291"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://https://www.ibm.com/support/pages/node/6998727"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://www.ibm.com/support/pages/node/6998727"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2023-32339",
        "datePublished": "2023-06-27T16:57:53.458Z",
        "dateReserved": "2023-05-08T18:32:52.654Z",
        "dateUpdated": "2024-11-06T20:43:01.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-24957 (GCVE-0-2023-24957)

    Vulnerability from cvelistv5 – Published: 2023-05-06 02:05 – Updated: 2025-01-29 16:06
    VLAI
    Title
    IBM Business Automation Workflow cross-site scripting
    Summary
    IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 246115.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, 22.0.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:11:43.746Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6965776"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/246115"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-24957",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-29T16:04:42.276083Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-29T16:06:32.818Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, 22.0.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  246115."
                }
              ],
              "value": "IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  246115."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-06T02:05:46.959Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/6965776"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/246115"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site scripting",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2023-24957",
        "datePublished": "2023-05-06T02:05:46.959Z",
        "dateReserved": "2023-02-01T02:39:37.386Z",
        "dateUpdated": "2025-01-29T16:06:32.818Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-42435 (GCVE-0-2022-42435)

    Vulnerability from cvelistv5 – Published: 2023-01-03 23:16 – Updated: 2025-04-10 14:36
    VLAI
    Title
    IBM Business Automation Workflow cross-site request forgery
    Summary
    IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T13:10:41.010Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6852217"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/238054"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-42435",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-10T14:36:08.900745Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-10T14:36:21.653Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0,   18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003eIBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.\u003c/span\u003e\n\n"
                }
              ],
              "value": "\nIBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-03T23:16:13.875Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/6852217"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/238054"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IBM Business Automation Workflow cross-site request forgery",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2022-42435",
        "datePublished": "2023-01-03T23:16:13.875Z",
        "dateReserved": "2022-10-06T15:51:26.497Z",
        "dateUpdated": "2025-04-10T14:36:21.653Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-38390 (GCVE-0-2022-38390)

    Vulnerability from cvelistv5 – Published: 2022-11-17 16:48 – Updated: 2025-04-29 13:46
    VLAI
    Summary
    Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 233978.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    ibm
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 22.0.1
    Affected: 21.0.1 , < 21.0.3.1 (custom)
    Affected: 20.0.0.1 , < 20.0.0.2 (custom)
    Affected: 19.0.0.1 , < 19.0.0.3 (custom)
    Affected: 18.0.0.0 , < 18.0.0.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:54:03.745Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6839847"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233978"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-38390",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-29T13:46:19.799908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-29T13:46:49.770Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "22.0.1"
                },
                {
                  "lessThan": "21.0.3.1",
                  "status": "affected",
                  "version": "21.0.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "20.0.0.2",
                  "status": "affected",
                  "version": "20.0.0.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "19.0.0.3",
                  "status": "affected",
                  "version": "19.0.0.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "18.0.0.2",
                  "status": "affected",
                  "version": "18.0.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  233978."
                }
              ],
              "value": "Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  233978."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-17T16:48:11.088Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.ibm.com/support/pages/node/6839847"
            },
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233978"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2022-38390",
        "datePublished": "2022-11-17T16:48:11.088Z",
        "dateReserved": "2022-08-16T18:42:49.433Z",
        "dateUpdated": "2025-04-29T13:46:49.770Z",
        "requesterUserId": "69938c14-a5a2-41ac-a450-71ed41911136",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22361 (GCVE-0-2022-22361)

    Vulnerability from cvelistv5 – Published: 2022-05-31 15:45 – Updated: 2024-09-16 19:30
    VLAI
    Summary
    IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
    CWE
    • Gain Access
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Process Manager Affected: 8.6.0.0
    Affected: 8.5.0.0
    Affected: 8.5.0.201706
    Affected: 8.6.0.201803
    Create a notification for this product.
    IBM Business Automation Workflow Affected: 18.0.0.0
    Affected: 18.0.0.1
    Affected: 19.0.0.1
    Affected: 19.0.0.3
    Affected: 20.0.0.1
    Affected: 20.0.0.2
    Affected: 21.0.3
    Affected: 21.0.1
    Create a notification for this product.
    Date Public
    2022-05-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:14:54.839Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6590411"
              },
              {
                "name": "ibm-baw-cve202222361-csrf (220784)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220784"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Process Manager",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.6.0.0"
                },
                {
                  "status": "affected",
                  "version": "8.5.0.0"
                },
                {
                  "status": "affected",
                  "version": "8.5.0.201706"
                },
                {
                  "status": "affected",
                  "version": "8.6.0.201803"
                }
              ]
            },
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.3"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.3"
                },
                {
                  "status": "affected",
                  "version": "21.0.1"
                }
              ]
            }
          ],
          "datePublic": "2022-05-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 3.8,
                "temporalSeverity": "LOW",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/PR:N/S:U/C:N/A:N/AC:L/AV:N/UI:R/I:L/RC:C/RL:O/E:U",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Gain Access",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-31T15:45:13.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6590411"
            },
            {
              "name": "ibm-baw-cve202222361-csrf (220784)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220784"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2022-05-27T00:00:00",
              "ID": "CVE-2022-22361",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Process Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "8.6.0.0"
                              },
                              {
                                "version_value": "8.5.0.0"
                              },
                              {
                                "version_value": "8.5.0.201706"
                              },
                              {
                                "version_value": "8.6.0.201803"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0.0.0"
                              },
                              {
                                "version_value": "18.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.3"
                              },
                              {
                                "version_value": "20.0.0.1"
                              },
                              {
                                "version_value": "20.0.0.2"
                              },
                              {
                                "version_value": "21.0.3"
                              },
                              {
                                "version_value": "21.0.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "N",
                  "I": "L",
                  "PR": "N",
                  "S": "U",
                  "UI": "R"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Gain Access"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6590411",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6590411 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6590411"
                },
                {
                  "name": "ibm-baw-cve202222361-csrf (220784)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220784"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2022-22361",
        "datePublished": "2022-05-31T15:45:13.828Z",
        "dateReserved": "2022-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:30:44.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-39046 (GCVE-0-2021-39046)

    Vulnerability from cvelistv5 – Published: 2022-03-18 15:40 – Updated: 2024-09-16 22:02
    VLAI
    Summary
    IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346.
    CWE
    • Obtain Information
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0.0
    Affected: 18.0.0.1
    Affected: 18.0.0.2
    Affected: 19.0.0.1
    Affected: 19.0.0.2
    Affected: 19.0.0.3
    Affected: 20.0.0.1
    Affected: 20.0.0.2
    Affected: 21.0.2
    Affected: 21.0.3
    Create a notification for this product.
    IBM Business Process Manager Affected: 8.5
    Affected: 8.6
    Create a notification for this product.
    Date Public
    2022-03-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:58:17.584Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6564387"
              },
              {
                "name": "ibm-baw-cve202139046-info-disc (214346)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214346"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.3"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.3"
                }
              ]
            },
            {
              "product": "Business Process Manager",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.5"
                },
                {
                  "status": "affected",
                  "version": "8.6"
                }
              ]
            }
          ],
          "datePublic": "2022-03-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 4.3,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/I:N/PR:H/AC:L/S:U/AV:N/A:N/UI:N/C:H/E:U/RL:O/RC:C",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Obtain Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-18T15:40:16.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6564387"
            },
            {
              "name": "ibm-baw-cve202139046-info-disc (214346)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214346"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2022-03-17T00:00:00",
              "ID": "CVE-2021-39046",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0.0.0"
                              },
                              {
                                "version_value": "18.0.0.1"
                              },
                              {
                                "version_value": "18.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.3"
                              },
                              {
                                "version_value": "20.0.0.1"
                              },
                              {
                                "version_value": "20.0.0.2"
                              },
                              {
                                "version_value": "21.0.2"
                              },
                              {
                                "version_value": "21.0.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Business Process Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "8.5"
                              },
                              {
                                "version_value": "8.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "N",
                  "PR": "H",
                  "S": "U",
                  "UI": "N"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Obtain Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6564387",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6564387 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6564387"
                },
                {
                  "name": "ibm-baw-cve202139046-info-disc (214346)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214346"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-39046",
        "datePublished": "2022-03-18T15:40:16.124Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:02:31.526Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38900 (GCVE-0-2021-38900)

    Vulnerability from cvelistv5 – Published: 2021-12-21 19:10 – Updated: 2024-09-17 01:40
    VLAI
    Summary
    IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607.
    CWE
    • Obtain Information
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0.0
    Affected: 18.0.0.1
    Affected: 18.0.0.2
    Affected: 19.0.0.1
    Affected: 19.0.0.2
    Affected: 19.0.0.3
    Affected: 20.0.0.1
    Affected: 20.0.0.2
    Affected: 21.0.2
    Create a notification for this product.
    IBM Cloud Pak for Automation Affected: 21.0.2
    Create a notification for this product.
    Date Public
    2021-12-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:51:20.879Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6527776"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6528296"
              },
              {
                "name": "ibm-baw-cve202138900-info-disc (209607)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.3"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.2"
                }
              ]
            },
            {
              "product": "Cloud Pak for Automation",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.0.2"
                }
              ]
            }
          ],
          "datePublic": "2021-12-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 4.3,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/A:N/AV:N/AC:L/UI:N/S:U/C:H/PR:H/I:N/RC:C/E:U/RL:O",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Obtain Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-21T19:10:15.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6527776"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6528296"
            },
            {
              "name": "ibm-baw-cve202138900-info-disc (209607)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-12-20T00:00:00",
              "ID": "CVE-2021-38900",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0.0.0"
                              },
                              {
                                "version_value": "18.0.0.1"
                              },
                              {
                                "version_value": "18.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.3"
                              },
                              {
                                "version_value": "20.0.0.1"
                              },
                              {
                                "version_value": "20.0.0.2"
                              },
                              {
                                "version_value": "21.0.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Cloud Pak for Automation",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "21.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "H",
                  "I": "N",
                  "PR": "H",
                  "S": "U",
                  "UI": "N"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Obtain Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6527776",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6527776 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6527776"
                },
                {
                  "name": "https://www.ibm.com/support/pages/node/6528296",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6528296 (Cloud Pak for Automation)",
                  "url": "https://www.ibm.com/support/pages/node/6528296"
                },
                {
                  "name": "ibm-baw-cve202138900-info-disc (209607)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-38900",
        "datePublished": "2021-12-21T19:10:16.020Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:40:57.148Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38883 (GCVE-0-2021-38883)

    Vulnerability from cvelistv5 – Published: 2021-12-17 17:05 – Updated: 2024-09-16 19:25
    VLAI
    Summary
    IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209165.
    CWE
    • Cross-Site Scripting
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Process Manager Affected: 8.5
    Affected: 8.6
    Create a notification for this product.
    IBM Business Automation Workflow Affected: 19.0.0
    Affected: 20.0.0
    Affected: 21.0
    Affected: 18.0.0
    Create a notification for this product.
    Date Public
    2021-12-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:51:20.883Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6527270"
              },
              {
                "name": "ibm-baw-cve202138883-xss (209165)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209165"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Process Manager",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.5"
                },
                {
                  "status": "affected",
                  "version": "8.6"
                }
              ]
            },
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "19.0.0"
                },
                {
                  "status": "affected",
                  "version": "20.0.0"
                },
                {
                  "status": "affected",
                  "version": "21.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0"
                }
              ]
            }
          ],
          "datePublic": "2021-12-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209165."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "CHANGED",
                "temporalScore": 5.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/UI:R/S:C/AC:L/I:L/PR:L/A:N/AV:N/C:L/RL:O/RC:C/E:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-17T17:05:11.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6527270"
            },
            {
              "name": "ibm-baw-cve202138883-xss (209165)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209165"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-12-16T00:00:00",
              "ID": "CVE-2021-38883",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Process Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "8.5"
                              },
                              {
                                "version_value": "8.6"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "19.0.0"
                              },
                              {
                                "version_value": "20.0.0"
                              },
                              {
                                "version_value": "21.0"
                              },
                              {
                                "version_value": "18.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Business Process Manager 8.5 and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209165."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "L",
                  "I": "L",
                  "PR": "L",
                  "S": "C",
                  "UI": "R"
                },
                "TM": {
                  "E": "H",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6527270",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6527270 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6527270"
                },
                {
                  "name": "ibm-baw-cve202138883-xss (209165)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209165"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-38883",
        "datePublished": "2021-12-17T17:05:11.690Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:25:14.421Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29753 (GCVE-0-2021-29753)

    Vulnerability from cvelistv5 – Published: 2021-11-05 17:15 – Updated: 2024-09-17 02:42
    VLAI
    Summary
    IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
    CWE
    • Obtain Information
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Process Manager Affected: 8.5
    Affected: 8.6
    Create a notification for this product.
    IBM Business Automation Workflow Affected: 18.0
    Affected: 19.0
    Affected: 20.0
    Affected: 21.0
    Create a notification for this product.
    Date Public
    2021-11-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:18:02.454Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6513703"
              },
              {
                "name": "ibm-baw-cve202129753-info-disc (201919)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201919"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Process Manager",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.5"
                },
                {
                  "status": "affected",
                  "version": "8.6"
                }
              ]
            },
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0"
                },
                {
                  "status": "affected",
                  "version": "19.0"
                },
                {
                  "status": "affected",
                  "version": "20.0"
                },
                {
                  "status": "affected",
                  "version": "21.0"
                }
              ]
            }
          ],
          "datePublic": "2021-11-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 5.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/PR:N/C:H/S:U/AV:N/UI:N/A:N/AC:H/I:N/RC:C/RL:O/E:U",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Obtain Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-05T17:15:11.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6513703"
            },
            {
              "name": "ibm-baw-cve202129753-info-disc (201919)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201919"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-11-04T00:00:00",
              "ID": "CVE-2021-29753",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Process Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "8.5"
                              },
                              {
                                "version_value": "8.6"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0"
                              },
                              {
                                "version_value": "19.0"
                              },
                              {
                                "version_value": "20.0"
                              },
                              {
                                "version_value": "21.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "H",
                  "AV": "N",
                  "C": "H",
                  "I": "N",
                  "PR": "N",
                  "S": "U",
                  "UI": "N"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Obtain Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6513703",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6513703 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6513703"
                },
                {
                  "name": "ibm-baw-cve202129753-info-disc (201919)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201919"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-29753",
        "datePublished": "2021-11-05T17:15:11.376Z",
        "dateReserved": "2021-03-31T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:42:34.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29835 (GCVE-0-2021-29835)

    Vulnerability from cvelistv5 – Published: 2021-10-22 19:00 – Updated: 2024-09-16 16:28
    VLAI
    Summary
    IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833.
    CWE
    • Cross-Site Scripting
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0
    Affected: 19.0
    Affected: 20.0
    Affected: 21.0
    Create a notification for this product.
    Date Public
    2021-10-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:18:03.150Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6507319"
              },
              {
                "name": "ibm-baw-cve202129835-xss (204833)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/204833"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0"
                },
                {
                  "status": "affected",
                  "version": "19.0"
                },
                {
                  "status": "affected",
                  "version": "20.0"
                },
                {
                  "status": "affected",
                  "version": "21.0"
                }
              ]
            }
          ],
          "datePublic": "2021-10-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "UNPROVEN",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "CHANGED",
                "temporalScore": 4.7,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/C:L/PR:L/UI:R/S:C/A:N/AV:N/I:L/AC:L/RL:O/E:U/RC:C",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-22T19:00:12.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6507319"
            },
            {
              "name": "ibm-baw-cve202129835-xss (204833)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/204833"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-10-21T00:00:00",
              "ID": "CVE-2021-29835",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0"
                              },
                              {
                                "version_value": "19.0"
                              },
                              {
                                "version_value": "20.0"
                              },
                              {
                                "version_value": "21.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "L",
                  "I": "L",
                  "PR": "L",
                  "S": "C",
                  "UI": "R"
                },
                "TM": {
                  "E": "U",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6507319",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6507319 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6507319"
                },
                {
                  "name": "ibm-baw-cve202129835-xss (204833)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/204833"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-29835",
        "datePublished": "2021-10-22T19:00:12.252Z",
        "dateReserved": "2021-03-31T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:28:45.527Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29878 (GCVE-0-2021-29878)

    Vulnerability from cvelistv5 – Published: 2021-10-18 16:35 – Updated: 2024-09-17 01:36
    VLAI
    Summary
    IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 206581.
    CWE
    • Cross-Site Scripting
    Assigner
    ibm
    References
    Impacted products
    Vendor Product Version
    IBM Business Automation Workflow Affected: 18.0.0.0
    Affected: 18.0.0.1
    Affected: 18.0.0.2
    Affected: 19.0.0.1
    Affected: 19.0.0.2
    Affected: 19.0.0.3
    Affected: 20.0.0.1
    Affected: 20.0.0.2
    Affected: 21.0.2
    Create a notification for this product.
    Date Public
    2021-10-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:18:03.192Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.ibm.com/support/pages/node/6501949"
              },
              {
                "name": "ibm-baw-cve202129878-xss (206581)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206581"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Business Automation Workflow",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "18.0.0.0"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "18.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "19.0.0.3"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.1"
                },
                {
                  "status": "affected",
                  "version": "20.0.0.2"
                },
                {
                  "status": "affected",
                  "version": "21.0.2"
                }
              ]
            }
          ],
          "datePublic": "2021-10-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 206581."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "OFFICIAL_FIX",
                "reportConfidence": "CONFIRMED",
                "scope": "CHANGED",
                "temporalScore": 5.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/A:N/UI:R/PR:L/I:L/S:C/AV:N/C:L/AC:L/RL:O/RC:C/E:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-18T16:35:11.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.ibm.com/support/pages/node/6501949"
            },
            {
              "name": "ibm-baw-cve202129878-xss (206581)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206581"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "DATE_PUBLIC": "2021-10-15T00:00:00",
              "ID": "CVE-2021-29878",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Business Automation Workflow",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "18.0.0.0"
                              },
                              {
                                "version_value": "18.0.0.1"
                              },
                              {
                                "version_value": "18.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.1"
                              },
                              {
                                "version_value": "19.0.0.2"
                              },
                              {
                                "version_value": "19.0.0.3"
                              },
                              {
                                "version_value": "20.0.0.1"
                              },
                              {
                                "version_value": "20.0.0.2"
                              },
                              {
                                "version_value": "21.0.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 206581."
                }
              ]
            },
            "impact": {
              "cvssv3": {
                "BM": {
                  "A": "N",
                  "AC": "L",
                  "AV": "N",
                  "C": "L",
                  "I": "L",
                  "PR": "L",
                  "S": "C",
                  "UI": "R"
                },
                "TM": {
                  "E": "H",
                  "RC": "C",
                  "RL": "O"
                }
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.ibm.com/support/pages/node/6501949",
                  "refsource": "CONFIRM",
                  "title": "IBM Security Bulletin 6501949 (Business Automation Workflow)",
                  "url": "https://www.ibm.com/support/pages/node/6501949"
                },
                {
                  "name": "ibm-baw-cve202129878-xss (206581)",
                  "refsource": "XF",
                  "title": "X-Force Vulnerability Report",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206581"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2021-29878",
        "datePublished": "2021-10-18T16:35:11.354Z",
        "dateReserved": "2021-03-31T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:36:37.802Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }