|
Description
|
|
A weakness has been reported in IBM Business Process Manager, which can be exploited by malicious people to conduct spoofing attacks.
Certain input related to serve-static module for Node.js is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
The weakness is reported in version 8.5.5.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
IBM Business Process Manager 8.x
|
|
|
|
|
|
Solution
|
|
Apply interim fix for APAR JR52288. Please see the vendor's advisory for details.
|
|
|
|
|
|
CVE
|
|
CVE-2015-1164
|
|
|
|
|
|
References
|
|
IBM (JR52288):
https://www.ibm.com/support/docview.wss?uid=swg21694924
pierre-elie:
https://github.com/expressjs/serve-static/issues/26
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
