CVE-2014-0908

medium

Description

The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/91870

http://www-01.ibm.com/support/docview.wss?uid=swg21669330

http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505

Details

Source: Mitre, NVD

Published: 2014-04-10

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.005