Gregory Draperi reports: A cross-site scripting flaw has been reported in jBPM. The flaw allows remote authenticated attackers to store arbitrary script code in certain jBPM workbench fields, the script could be executed later in the context of other users while browsing through several workbench pages.
Acknowledgements: Red Hat would like to thank Grégory DRAPERI for reporting this issue.
Upstream patch commit: https://github.com/droolsjbpm/jbpm-console-ng/commit/4818204506e8e94645b52adb9426bedfa9ffdd04
Statement: This issue does not affect jBPM KIE Workbench as shipped with Red Hat JBoss BPM Suite 6.0.0. It may affect earlier versions of the upstream jBPM Console NG project.