There is a potential cross-site scripting vulnerability in the WebSphere Application Server Liberty OpenID Connect clients.
CVEID: CVE-2016-3042**
DESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114638 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
This vulnerability affects IBM WebSphere Application Server Liberty.
The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI64790 for each named product as soon as practical.
**
For WebSphere Application Server Liberty:**
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI64790
--ORโ
ยท Apply Fix Pack 16.0.0.3 or later.
none