CVE-2013-6465
Description
CVE-2013-6465 describes stored XSS in jBPM KIE Workbench 6.0.x, allowing authenticated users to execute arbitrary HTML/JS via task name inputs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2013-6465 describes stored XSS in jBPM KIE Workbench 6.0.x, allowing authenticated users to execute arbitrary HTML/JS via task name inputs.
Vulnerability
CVE-2013-6465 is a stored cross-site scripting (XSS) vulnerability in the JBPM KIE Workbench, specifically in version 6.0.x. The flaw resides in the jbpm-console-ng-human-tasks client module, where the onTaskSelectionEvent method in TaskDetailsMultiPresenter directly concatenates the task name without escaping [2]. This allows injection of arbitrary HTML or script content through the task name input field, which persists in the workbench's task display [1][3].
Exploitation
An attacker must be a remote authenticated user with permission to create or edit tasks in the jBPM workbench [3]. The attacker injects malicious script or HTML into the task name field when creating or updating a task. When other users (including administrators) navigate to pages that render task details, the injected code is executed in the context of the victim's browser session [2][3].
Impact
Successful exploitation leads to stored cross-site scripting, enabling the attacker to execute arbitrary web script in the browser of any user viewing the affected task details. This can result in session hijacking, sensitive information disclosure, or further compromise of the workbench environment within the victim's authenticated session [3].
Mitigation
Red Hat issued a fix in the commit 4818204506e8e94645b52adb9426bedfa9ffdd04, which escapes the task name using SafeHtmlUtils.htmlEscape() [2]. The fix was included in a later release of JBPM KIE Workbench (post-6.0.x). Users should upgrade to a patched version. No workaround is documented; the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:redhat:jbpm:6.0.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:redhat:jbpm:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:cr1:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:cr2:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:cr3:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:cr4:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm:6.0.0:cr5:*:*:*:*:*:*
- Range: 6.0.x
Patches
14818204506e8BZ-1049109: escaping task name html inputs
1 file changed · +2 −1
jbpm-console-ng-human-tasks/jbpm-console-ng-human-tasks-client/src/main/java/org/jbpm/console/ng/ht/client/editors/taskdetailsmulti/TaskDetailsMultiPresenter.java+2 −1 modified@@ -20,6 +20,7 @@ import javax.inject.Inject; import com.google.gwt.core.client.GWT; +import com.google.gwt.safehtml.shared.SafeHtmlUtils; import com.google.gwt.user.client.ui.HTMLPanel; import com.google.gwt.user.client.ui.IsWidget; import java.util.HashMap; @@ -117,7 +118,7 @@ public void onTaskSelectionEvent(@Observes TaskSelectionEvent event){ selectedTaskId = event.getTaskId(); selectedTaskName = event.getTaskName(); - view.getTaskIdAndName().setText(String.valueOf(selectedTaskId) + " - "+selectedTaskName); + view.getTaskIdAndName().setText(SafeHtmlUtils.htmlEscape(String.valueOf(selectedTaskId) + " - "+selectedTaskName)); view.getContent().clear();
Vulnerability mechanics
Root cause
"The application fails to sanitize user-provided task name input before rendering it in the web interface, leading to cross-site scripting."
Attack vector
An authenticated remote user can trigger this vulnerability by injecting malicious scripts or HTML into task name fields [CWE-79]. When the application renders these task names in the user interface, the injected payload is executed in the context of the victim's browser session. This vector relies on the application's failure to properly neutralize input during web page generation [CWE-79].
Affected code
The vulnerability is located in `jbpm-console-ng-human-tasks/jbpm-console-ng-human-tasks-client/src/main/java/org/jbpm/console/ng/ht/client/editors/taskdetailsmulti/TaskDetailsMultiPresenter.java`. Specifically, the `onTaskSelectionEvent` method was identified as the location where unsanitized task name data was processed [patch_id=4373370].
What the fix does
The patch [patch_id=4373370] introduces the use of `SafeHtmlUtils.htmlEscape` to sanitize the task name string before it is displayed. By applying this function, the application ensures that any HTML or script characters within the task name are properly escaped, preventing them from being interpreted as executable code by the browser. This change effectively mitigates the cross-site scripting vulnerability [CWE-79].
Preconditions
- authThe attacker must be an authenticated user.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatch
- github.com/kiegroup/jbpm-wb/commit/4818204506e8e94645b52adb9426bedfa9ffdd04nvdPatch
- github.com/kiegroup/jbpm-wb/compare/6.0.xnvdRelease Notes
News mentions
0No linked articles in our index yet.