IBM WebSphere 'ResetPassword' Information Disclosure

Low Nessus Network Monitor Plugin ID 2712

Synopsis

The remote host may give an attacker information useful for future attacks.

Description

The remote WebSphere webserver is vulnerable to an information leak. There is a flaw in the default ResetPassword form that would allow a remote attacker to obtain potentially confidential data (such as UserID) within the web server cache. An attacker exploiting this flaw would only need to be able to browse to the affected system and view the confidential data within the form source code.

Solution

Upgrade or patch according to vendor recommendations.

See Also

http://www-1.ibm.com/support/docview.wss?uid=swg21199839

Plugin Details

Severity: Low

ID: 2712

File Name: 2712.prm

Family: Web Servers

Published: 2005/03/15

Modified: 2016/02/05

Dependencies: 1442

Nessus ID: 17337

Risk Information

Risk Factor: Low

CVSSv2

Base Score: 2.6

Temporal Score: 2.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSSv3

Base Score: 3.6

Temporal Score: 3.4

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:websphere_application_server

Reference Information

BID: 12812