VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 21, 2015· Updated May 6, 2026

CVE-2014-8913

CVE-2014-8913

Description

Cross-site scripting in IBM Business Process Manager Process Portal allows authenticated users to inject arbitrary web script via crafted URL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in IBM Business Process Manager Process Portal allows authenticated users to inject arbitrary web script via crafted URL.

Vulnerability

IBM Business Process Manager (BPM) Process Portal versions 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 are vulnerable to a stored or reflected cross-site scripting (XSS) issue due to improper validation of user-supplied input [1][3]. The vulnerability exists in the Process Portal component and can be triggered via a specially crafted URL.

Exploitation

An attacker must be a remote authenticated user with access to the Process Portal. By crafting a malicious URL containing script code and tricking another authenticated user into clicking it, the attacker can execute arbitrary web script or HTML in the victim's browser within the security context of the hosting web site [1][3]. No additional privileges are required beyond authentication.

Impact

Successful exploitation allows the attacker to steal the victim's cookie-based authentication credentials, leading to session hijacking and unauthorized access to the BPM environment [1][3]. The impact is limited to confidentiality and integrity of the user's session; the CVSS base score is 3.5 (low) [1].

Mitigation

IBM released fixes for affected versions: V8.0.1.3, V8.5.0.0, V8.5.0.1, and V8.5.5.0 via APAR JR51742 [3]. Users should apply the fix from IBM Fix Central. No workaround is documented; the fix sanitizes parameters to prevent script injection [3].

References
  1. Security Bulletin: Cross-site scripting vulnerabilities in IBM Business Process Manager (BPM) Process Portal (CVE-2014-8913, CVE-2014-8914)
  2. JR51742: SECURITY APAR CVE-2014-8913 - CROSS-SITE SCRIPTING (XSS) VULNERABILITY ON IBM PROCESS PORTAL

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • IBM/Business Process Manager9 versions
    cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:business_process_manager:8.0.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:*:*:*:*
    • (no CPE)range: 8.0–8.0.1.3, 8.5.0–8.5.0.1, 8.5.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.