Vulnerability Note VU#560659
IBM WebSphere vulnerable to Cross-Site Scripting via passing of user input directly to default error page
Several server applications are vulnerable to such an technique via various default error pages.
The victim will be presented with information which the compromised site did not wish their visitors to be subjected. This could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs.
Install the vendor patch for WebSphere 3.5 and 3.02: PQ47386302x from http://www-4.ibm.com/software/webservers/appserv/efix.html
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|IBM||Affected||20 Mar 2001||23 Aug 2001|
CVSS Metrics (Learn More)
- VU#642239, VU#672683, VU#654643, VU#560659, VU#270083, VU#981651
Our thanks to Hiromitsu Takagi, who discovered this instance of the cross-site scripting vulnerability.
This document was originally written by Shawn Hernan in July 2000. It has been adapted for this instance by Jason Rafail.
- CVE IDs: Unknown
- Date Public: 02 Jul 2001
- Date First Published: 23 Aug 2001
- Date Last Updated: 23 Aug 2001
- Severity Metric: 59.06
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.