CVE-2014-3087
callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
View on NVDSeverity
N/A
EPSS
Probability of exploitation (next 30 days): 0.0029 (0.3%)
Percentile: 52.4%
EPSS: 2026-05-06
Affects
ibm:business_process_manageribm:websphere_application_serverTechnical description
callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 and WebSphere Lombardi Edition 7.2 through 7.2.0.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Published: 8/17/2014, 11:55:06 PM
Last modified: 5/6/2026, 10:30:45 PM
References
- http://secunia.com/advisories/60752
- http://secunia.com/advisories/60755
- http://secunia.com/advisories/60757
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR50616
- http://www-01.ibm.com/support/docview.wss?uid=swg21679726
- http://www.securityfocus.com/bid/69264
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94112
- http://secunia.com/advisories/60752