IBM WebSphere Application Server and WebSphere Application Server Liberty Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in IBM WebSphere Application Server versions 8.5 and 9.0, as well as in IBM WebSphere Application Server Liberty versions 17.0.0.3 through 25.0.0.12. This vulnerability arises from improper validation of user-supplied input, allowing an attacker to exploit it by using a specially crafted URL to redirect users to a malicious site.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users of IBM WebSphere Application Server Liberty versions 17.0.0.3 through 25.0.0.12, who are using the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 feature, should upgrade to the minimum fix pack levels required by the interim fix and then apply the Interim Fix that resolves PH68817. Alternatively, Fix Pack 26.0.0.1 or later can be applied. For IBM WebSphere Application Server traditional users on version 9.0.0.0 through 9.0.5.26, the same upgrade and interim fix process applies. Users on versions 8.5.0.0 through 8.5.5.28 should also follow the same upgrade and interim fix instructions.