IBM Patches WebSphere Portal XSS Vulnerability
June 7, 2011 Alex Woodie
Organizations running WebSphere Portal versions 6 and 7 are encouraged to apply an IBM patch to fix a cross-site scripting (XSS) vulnerability that could allow an attacker to run arbitrary HTML and script code in a user’s Web browser. The vulnerability, which was revealed in late May, affects WebSphere Portal 7 running on several operating systems, including IBM i.
According to IBM’s Internet Security Systems‘ X-Force database, which can be accessed at xforce.iss.net/xforce/xfdb/67594, the XSS vulnerability stems from the failure to properly sanitize user input in the search center component of a WebSphere Portal application. This vulnerability could be exploited by an attacker to execute arbitrary HTML, run a script, or even steal the victim’s cookie-based authentication credentials. X-Force says the exploitability of the vulnerability is “high,” although it contained a “medium” level of complexity.
The vulnerability was given a “less critical” severity rating by Secunia in its SA44700 advisory. According to Secunia, the vulnerability affects WebSphere Portal version 6 and 7 running on IBM i, AIX, Linux, Solaris, Windows, and z/OS.
The patch for the XSS vulnerability is contained in the latest Combined Cumulative Fix, CF004, which was released May 23. For more information on CF004, see www-304.ibm.com/support/docview.wss?uid=swg24029452.