Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 before 8.5.6.0 CF1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
http://www.securitytracker.com/id/1033733
http://www-01.ibm.com/support/docview.wss?uid=swg21966010
http://www-01.ibm.com/support/docview.wss?uid=swg1JR54007