Vulnerability CVE-2010-4220 - CERT Civis.Net

Vulnerability Name:

CVE-2010-4220 (CCN-62948)

Assigned:

2010-10-22

Published:

2010-10-22

Updated:

2010-11-10

Summary:

Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Console component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.6 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.6 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2010-0784

Source: MITRE
Type: CNA
CVE-2010-4220

Source: CCN
Type: SA41722
IBM WebSphere Application Server for z/OS Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
41722

Source: CCN
Type: IBM APAR PM17046
Recommended fixes for WebSphere Application Server

Source: AIXAPAR
Type: UNKNOWN
PM11777

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg27014463

Source: CCN
Type: OSVDB ID: 68536
IBM WebSphere Application Server for z/OS Unspecified XSS

Source: CCN
Type: OSVDB ID: 69204
IBM WebSphere Application Server (WAS) Administrative Console Integrated Solution Console Unspecified XSS

Source: CCN
Type: BID-43874
IBM WebSphere Application Server for z/OS Multiple Unspecified Cross Site Scripting Vulnerabilities

Source: CCN
Type: BID-44875
IBM WebSphere Application Server Unspecified Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
was-admins-console-xss(62948)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.10:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.12:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

Denotes that component is vulnerable