Cross-site scripting in IBM WebSphere Commerce Developer - CVE-2016-2862
Published: July 4, 2016 / Updated: July 12, 2020
Vulnerability identifier: #VU84
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-2862
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: IBM Corporation
Affected software:
IBM WebSphere Commerce Developer
IBM WebSphere Commerce Developer
Detailed vulnerability description
The vulnerability allows a remote attacker to conduct cross-site scripting attacks.
The vulnerability exists due to input validation error. A remote unauthenticated attacker can steal the victim's cookie based authentication credentials by creating a specially crafted URL to execute script in a victim's web browser within the security context of the hosting website.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
The vulnerability exists due to input validation error. A remote unauthenticated attacker can steal the victim's cookie based authentication credentials by creating a specially crafted URL to execute script in a victim's web browser within the security context of the hosting website.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2016-2862
IBM has issued a fix (8.0.0.5; APARs JR55264, JR55139 and JR55141).