IBM WebSphere Application Server 7.0 < 184.108.40.206 / 8.0 < 220.127.116.11 / 8.5 < 18.104.22.168 / 9.0 < 22.214.171.124 Admin Console Multiple XSS
Low Nessus Plugin ID 97355
SynopsisThe remote web application server is affected by multiple XSS vulnerabilities.
DescriptionThe IBM WebSphere Application Server running on the remote host is version 7.0 prior to 126.96.36.199, 8.0 prior to 188.8.131.52, 8.5 prior to 184.108.40.206, or 9.0 prior to 220.127.116.11. It is, therefore, affected by multiple cross-site scripting (XSS) vulnerabilities in the Admin Console due to a failure to validate input before returning it to users. An authenticated, remote attacker can exploit these, via a specially crafted URL, to execute arbitrary script code in a user's browser session within the security context of the hosting website.
Note that Nessus has not checked for the Interim Fix for these issues but has instead relied only on the application's self-reported version number.
SolutionApply IBM WebSphere Application Server version 7.0 Fix Pack 43 (18.104.22.168) / 8.0 Fix Pack 14 (22.214.171.124) / 8.5 Fix Pack 12 (126.96.36.199) / 9.0 Fix Pack 3 (188.8.131.52) or later. Alternatively, upgrade to the minimal fix pack levels required by the interim fix and then apply Interim Fix PI73367. See the vendor advisory for more details.