A potential cross-site scripting vulnerability exists in the DataPower system log. IBM has addressed the applicable CVE.
CVEID: CVE-2017-1591**
DESCRIPTION:** IBM WebSphere DataPower Appliances is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132368 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
IBM DataPower Gateways appliances, versions through 7.0.0.0-7.0.0.19, 7.1.0.0-7.1.0.18, 7.2.0.0-7.2.0.15, 7.5.0.0-7.5.0.9, 7.5.1.0-7.5.1.8, 7.5.2.0-7.5.2.8, 7.6.0.0
Fix is available in versions 7.0.0.20, 7.1.0.19, 7.2.0.16, 7.5.0.10, 7.5.1.9, 7.5.2.9, 7.6.0.1. Refer to APAR IT22119 for URLs to download the fix.
You should verify applying this fix does not cause any compatibility issues.
For DataPower customers using versions 6.x and earlier versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
None