Input validation flaw in WebSphere Portal - CVE-2016-2925

Vulnerability identifier: #VU233

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2016-2925

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: IBM Corporation

Affected software:
WebSphere Portal

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to improper validation of user-supplied input. A remote attacker can perform a cross-site scripting attack by using a specially-crafted URL to execute script in a victim's web browser within the security context of the hosting web site.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

For version 8.5.0 upgrade to Cumulative Fix 10 (CF10).
For versions 8.0.0 through 8.0.0.1 upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 21 (CF21).
For vervions 7.0.0 through 7.0.0.2 upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 30 (CF30) and then apply the Interim Fix PI62749.
For versions 6.1.5.0 through 6.1.5.3 upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply the Interim Fix PI62749.
For versions 6.1.0.0 through 6.1.0.6 upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply the Interim Fix PI62749.

• http://www-01.ibm.com/support/docview.wss?uid=swg21986461