Impact
A cross‑site scripting vulnerability exists in the administrative console help system of IBM WebSphere Application Server. The flaw allows an attacker to inject and execute arbitrary client‑side scripts in a user’s browser when viewing the help pages. If an attacker successfully exploits this weakness, they could steal session cookies, mimic legitimate users, or redirect users to malicious sites, thereby compromising confidentiality, integrity, or availability of the administrative interface. The weakness is identified as CWE‑79 and carries a CVSS score of 9.3.
Affected Systems
IBM WebSphere Application Server versions 8.5 and 9.0 are affected. For builds V9.0.0.0 through 9.0.5.28, the vulnerability applies until the interim fix is installed or a fix pack 9.0.5.29 or later is applied. For builds V8.5.0.0 through 8.5.5.30, the same applies until the interim fix is applied or a fix pack 8.5.5.31 or later is applied.
Risk and Exploitability
The issue is remotely exploitable by accessing the administrative console’s help pages, so a publicly reachable WebSphere instance is a candidate target. The CVSS score of 9.3 indicates high severity, and while no EPSS score is provided, the lack of a KEV listing suggests no known widespread exploitation at the time of this report. The recommended remediation involves applying IBM’s interim fix or appropriate fix pack and then following the detailed post‑installation instructions. Failure to patch leaves the system vulnerable to script injection, which can lead to credential theft or further attacks within the corporate network.
OpenCVE Enrichment