[Japanese]

JVNDB-2013-000004

WebSphere Application Server (WAS) vulnerable to cross-site scripting

Overview

WebSphere Application Server (WAS) provided by IBM contains a cross-site scripting vulnerability.

WebSphere Application Server (WAS) provided by IBM contains a vulnerability in SnoopServlet, which may result in a cross-site scripting.

Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


IBM Corporation
  • IBM WebSphere Application Server versions prior to 6.0.2.21
  • IBM WebSphere Application Server versions prior to 6.1.0.9

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Apply a patch]
Apply the patch according to the information provided by the developer.

According to the developer, this issue was resolved for WAS 6.0.2.21 and WAS 6.1.0.9 in 2007.
WAS 6.0.2.21 is no longer supported, and the End of Support for WAS 6.1.0.9 is scheduled for September 30, 2013.
Vendor Information

IBM Corporation
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

References

  1. JVN : JVN#24343509
Revision History

[2013/01/25]
  Web page was published