CVE-2016-9693 — MEDIUM (6.1)

Vulnerability Description

IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considered executable and cause damage on the victim's machine. IBM Reference #: 1998655.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Ibm	Business Process Manager	7.5.0.0
Ibm	Websphere	7.2

Related Weaknesses (CWE)

CWE-20

References

http://www.securityfocus.com/bid/98074
https://www.ibm.com/support/docview.wss?uid=swg21998655PatchVendor Advisory
http://www.securityfocus.com/bid/98074
https://www.ibm.com/support/docview.wss?uid=swg21998655PatchVendor Advisory

FAQ

What is CVE-2016-9693?

CVE-2016-9693 is a vulnerability with a CVSS score of 6.1 (MEDIUM). IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a maliciou...

How severe is CVE-2016-9693?

CVE-2016-9693 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-9693?

Check the references section above for vendor advisories and patch information. Affected products include: Ibm Business Process Manager, Ibm Websphere.