The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of WebSphere AS: Cross Site Scripting via Admin Console

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Admin Console of WebSphere AS, in order to run JavaScript code in the context of the web site.
Severity of this bulletin: 2/4.
Creation date: 07/12/2016.
Références of this threat: 1992315, 1996037, 1996038, 1996145, 1996238, 7014463, 7036319, CVE-2016-8934, VIGILANCE-VUL-21297.

Description of the vulnerability

The WebSphere AS product offers a web service.

However, it does not filter received data via Admin Console before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Admin Console of WebSphere AS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Tivoli Directory Server, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat

Websphere AS: version 8.5.5.12.
The version 8.5.5.12 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24043844

WebSphere AS: solution for Admin Console.
The solution is indicated in information sources.

IBM BigFix, IBM Tivoli Directory Server: patch for WebSphere AS.
A patch is indicated in the information source for WebSphere, for each version of the embedded WebSphere AS.

IBM Tivoli System Automation: patch for WebSphere Application Server.
Two set of patches are/will be available, according the which version of WebSphere is embedded:
  http://www-01.ibm.com/support/docview.wss?uid=swg21992315
  http://www-01.ibm.com/support/docview.wss?uid=swg21991469

IBM WebSphere Application Server: version 7.0.0.43.
The version 7.0.0.43 is fixed.

IBM WebSphere Enterprise Service Bus: solution for WebSphere AS.
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides software vulnerabilities patches. The technology watch team tracks security threats targeting the computer system.