IBM WebSphere Application Server Administrative console cross-site scripting

was-cve20135418-xss (87480) The risk level is classified as LowLow Risk

Description:

IBM WebSphere Application Server is vulnerable to cross-site scripting, caused by improper validation of input in the Administrative console. A remote attacker could exploit this vulnerability using a specially-crafted URL to inject script into a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

*CVSS:

Base Score: 3.5
  Access Vector: Network
  Access Complexity: Medium
  Authentication: Single
  Confidentiality Impact: None
  Integrity Impact: Partial
  Availability Impact: None
 
Temporal Score: 3
  Exploitability: High
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Cross-Site Scripting

Remedy:

Refer to the appropriate IBM Security Bulletin for patch, upgrade, or suggested workaround information. See References.

References:

  • IBM Security Bulletin 1651880: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.1.
  • IBM Security Bulletin 1661323: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.31.
  • IBM Security Bulletin 1661325: Potential Security Vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.8.
  • BID-63778: IBM WebSphere Application Server CVE-2013-5418 Cross Site Scripting Vulnerability
  • CVE-2013-5418: Cross-site scripting (XSS) vulnerability in the Administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.31, 8.0 before 8.0.0.8, and 8.5 before 8.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
  • OSVDB ID: 99764: IBM WebSphere Application Server (WAS) Administrative Console Unspecified Reflected XSS (2013-5418)

Platforms Affected:

  • IBM WebSphere Application Server 7.0
  • IBM WebSphere Application Server 8.0
  • IBM WebSphere Application Server 8.5

Reported:

Nov 11, 2013

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page