Vulnerability CVE-2013-0499
Published: 2013-05-28

Description:
Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.

See advisories in our WLB2 database:
Topic
Author
Date
Low
IBM WebSphere DataPower Services JavaScript Execution
SEC
23.05.2013

Type:

CWE-79

 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
IBM -> Websphere datapower b2b appliance xb62 
IBM -> Websphere datapower integration appliance xi50 
IBM -> Websphere datapower integration appliance xi52 
IBM -> Websphere datapower integration appliance xi52 virtual edition 
IBM -> Websphere datapower service gateway xg45 
IBM -> Websphere datapower service gateway xg45 virtual edition 
IBM -> Websphere datapower xc10 appliance 
IBM -> Websphere datapower b2b appliance xb62 firmware 
IBM -> Websphere datapower integration appliance xi50 firmware 
IBM -> Websphere datapower integration appliance xi52 firmware 
IBM -> Websphere datapower integration appliance xi52 virtual edition firmware 
IBM -> Websphere datapower service gateway xg45 firmware 
IBM -> Websphere datapower service gateway xg45 virtual edition firmware 
IBM -> Websphere datapower xc10 appliance firmware 

 References:
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt
http://xforce.iss.net/xforce/xfdb/82221
http://www-01.ibm.com/support/docview.wss?uid=swg21637717
http://seclists.org/bugtraq/2013/May/83
Copyright 2024, cxsecurity.com

 

Back to Top