CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
80.8%
The version of IBM WebSphere Portal installed on the remote Windows host is affected by a cross-site redirection vulnerability due to improper validation of unspecified input. An unauthenticated, remote attacker can exploit this vulnerability, by convincing a user to follow a specially crafted link, to redirect a user from a legitimate website to a malicious website of the attacker’s choosing, in which the attacker is able to spoof the URL that is displayed to the user.
This can allow the attacker to obtain sensitive information or to conduct further attacks.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(100222);
script_version("1.6");
script_cvs_date("Date: 2019/11/13");
script_cve_id("CVE-2017-1156");
script_bugtraq_id(98340);
script_name(english:"IBM WebSphere Portal Cross-Site Redirection");
script_summary(english:"Checks for the installed patches.");
script_set_attribute(attribute:"synopsis", value:
"The web portal application installed on remote Windows host is
affected by a cross-site redirection vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of IBM WebSphere Portal installed on the remote Windows
host is affected by a cross-site redirection vulnerability due to
improper validation of unspecified input. An unauthenticated, remote
attacker can exploit this vulnerability, by convincing a user to
follow a specially crafted link, to redirect a user from a legitimate
website to a malicious website of the attacker's choosing, in which
the attacker is able to spoof the URL that is displayed to the user.
This can allow the attacker to obtain sensitive information or to
conduct further attacks.");
script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22000153");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate fixes according to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1156");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/02");
script_set_attribute(attribute:"patch_publication_date", value:"2017/05/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_portal");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("websphere_portal_installed.nbin");
script_require_keys("installed_sw/IBM WebSphere Portal");
exit(0);
}
include("websphere_portal_version.inc");
websphere_portal_check_version(
ranges:make_list(
"8.5.0.0, 8.5.0.0, CF13",
"9.0.0.0, 9.0.0.0, CF13"
),
fix:"PI77506",
severity:SECURITY_WARNING
);
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
80.8%