IBM199CC92B290E5DA2C7A313FD51079E448761C8A62122CED83F84BC1C90E57D9CSecurity Bulletin: Cross-site scripting vulnerability in IBM WebSphere Application Server Liberty (CVE-2016-3042)
EPSS
Percentile
32.2%
Summary
There is a potential cross-site scripting vulnerability in the WebSphere Application Server Liberty OpenID Connect clients.
Vulnerability Details
CVEID: CVE-2016-3042**
DESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114638 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
This vulnerability affects IBM WebSphere Application Server Liberty.
Remediation/Fixes
The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI64790 for each named product as soon as practical.
**
For WebSphere Application Server Liberty:**
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI64790
--ORโ
ยท Apply Fix Pack 16.0.0.3 or later.
Workarounds and Mitigations
none
Related
EPSS
Percentile
32.2%