Impact
IBM WebSphere Application Server 9.0 and 8.5 contain a cross‑site scripting flaw in the administrative console’s integrated help system. The flaw permits an attacker who can invoke the console’s help functions to inject arbitrary HTML or JavaScript. The injected script can then run with the privileges of the authenticated console session, allowing the attacker to capture sensitive data, hijack administrator sessions, or perform further malicious actions within the affected servers.
Affected Systems
The vulnerability is present in IBM WebSphere Application Server versions 8.5.0.0 through 8.5.5.30 and 9.0.0.0 through 9.0.5.28. IBM recommends applying the interim fix or Fix Pack PH71756, or upgrading to Fix Pack 8.5.5.31 or later for 8.5, and Fix Pack 9.0.5.29 or later for 9.0.
Risk and Exploitability
The CVSS base score of 9.3 indicates a critical severity level. No EPSS score is available for this vulnerability, and it is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring the attacker to access the administrative console’s help interface; once the vulnerable console is accessed, the attacker can inject malicious code. The combination of a high severity score and the availability of a publicly documented bug makes the risk significant for any environment running the affected WebSphere Application Server versions.
OpenCVE Enrichment