IBM WebSphere Application Server is vulnerable to Cross-Site Scripting

Abstract

IBM WebSphere Application Server is vulnerable to Cross-Site Scripting in the administrative console.

See also

Tested version

  • IBM WebSphere Application Server 9.0
  • IBM WebSphere Application Server 8.5

Fix

This vulnerability is addressed in the currently available interim fix or fix pack containing APAR PH61546. It is recommended to apply the fix now.

  • For v9.0.0.1 through 9.0.5.20 the following fix is available APAR PH61546 or fix pack 9.0.5.21 or later which is targeted to be available in Q3 of 2024.

  • For v8.5.0.0 through v8.5.5.25 the following fix is available APAR PH61546 or fix pack 8.5.5.26 or later which is targeted to be available in Q3 of 2024.

Vulnerability details

IBM WebSphere Application Server 8.5 and 9.0 are vulnerable to Cross-Site Scripting. This vulnerability allows privileged users to inject arbitrary JavaScript code in the administrative Web UI, altering the intended behavior of the application. This can lead to, but is not limited to, leakage of credentials and other sensitive information but also altering (security) settings within the trusted session.

Questions or feedback?