Vulnerability Name:

CVE-2020-4303 (CCN-176668)

Assigned:2019-12-30
Published:2020-03-31
Updated:2020-04-02
Summary:IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2020-4303

Source: XF
Type: UNKNOWN
ibm-websphere-cve20204303-xss(176668)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-websphere-cve20204303-xss (176668)

Source: CCN
Type: IBM Security Bulletin 6147195 (WebSphere Application Server Liberty)
WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2020-4303, CVE-2020-4304)

Source: CONFIRM
Type: Patch, Vendor Advisory
https://www.ibm.com/support/pages/node/6147195

Source: CCN
Type: IBM Security Bulletin 6203516 (Content Foundation on Cloud)
IBM WebSphere Application Server Network Deployment security vulnerabilities in IBM Content Foundation on Cloud

Source: CCN
Type: IBM Security Bulletin 6209262 (Liberty for Java)
WebSphere Application Server Liberty is vulnerable to Cross-site Scripting that affects Liberty for Java for IBM Cloud (CVE-2020-4303, CVE-2020-4304)

Source: CCN
Type: IBM Security Bulletin 6218992 (Compare and Comply)
WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2020-4303, CVE-2020-4304)

Source: CCN
Type: IBM Security Bulletin 6232876 (WebSphere Application Server in Cloud)
Multiple vulnerabilities in the IBM HTTP Server and IBM WebSphere Application Server used in IBM WebSphere Application Server in IBM Cloud

Source: CCN
Type: IBM Security Bulletin 6235074 (Cloud Pak for Automation)
Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation

Source: CCN
Type: IBM Security Bulletin 6236448 (Voice Gateway)
Security vulnerability in IBM WebSphere Application Server affects IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6239950 (Watson Speech to Text Customer Care)
Speech to Text, Text to Speech ICP, WebSphere Application Server Liberty Fix

Source: CCN
Type: IBM Security Bulletin 6242108 (License Metric Tool)
A security vulnerabilities has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 .

Source: CCN
Type: IBM Security Bulletin 6242178 (Log Analysis)
Vulnerability in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2020-4303, CVE-2020-4304)

Source: CCN
Type: IBM Security Bulletin 6242786 (Rational Asset Analyzer)
Asset Analyzer (RAA) is affected by two WebSphere Application Server vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6249993 (Control Center)
IBM WebSphere Application Server Liberty XSS Vulnerabilities Affect IBM Control Center (CVE-2020-4303, CVE-2020-4304)

Source: CCN
Type: IBM Security Bulletin 6252009 (InfoSphere Streams)
Websphere Application Server Liberty vulnerabilities used by IBM Streams

Source: CCN
Type: IBM Security Bulletin 6261535 (Cloud Private)
IBM Cloud Private is vulnerable to IBM WebSphere Application Server Liberty vulnerabilities (CVE-2020-4303, CVE-2020-4304)

Source: CCN
Type: IBM Security Bulletin 6324799 (Spectrum Protect Plus)
Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6391590 (Cloud Application Business Insights)
Multiple Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights

Source: CCN
Type: IBM Security Bulletin 6405740 (Watson Machine Learning Accelerator)
Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Accelerator

Source: CCN
Type: IBM Security Bulletin 6417137 (Cloud APM)
Multiple vulnerabilities affect the IBM Performance Management product

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:* (Version >= 17.0.0.3 and <= 20.0.0.3)

  • Configuration CCN 1:
  • cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:20.0.0.3:*:*:*:liberty:*:*:*
  • AND
  • cpe:/a:ibm:license_metric_tool:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_asset_analyzer:6.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server_in_cloud:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server_in_cloud:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server_in_cloud:*:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:liberty:3.37:*:java:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_streams:4.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_streams:4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_streams:4.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:6.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:6.1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:6.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_asset_analyzer:6.1.0.23:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_application_business_insights:1.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_application_business_insights:1.1.3:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    ibm websphere application server *
    ibm websphere application server 17.0.0.3
    ibm websphere application server 20.0.0.3
    ibm license metric tool 9.2
    ibm spectrum protect plus 10.1.0
    ibm rational asset analyzer 6.1.0.0
    ibm websphere application server in cloud 8.5
    ibm websphere application server in cloud 9.0
    ibm websphere application server in cloud *
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm liberty 3.37
    ibm cloud pak for automation 19.0.3
    ibm infosphere streams 4.1.1
    ibm infosphere streams 4.2.1
    ibm infosphere streams 4.3.1
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm control center 6.0.0.2
    ibm control center 6.1.2.1
    ibm control center 6.1.3.0
    ibm cloud private 3.2.1 cd
    ibm voice gateway 1.0.5
    ibm cloud pak for automation 20.0.1
    ibm log analysis 1.3.5.3
    ibm log analysis 1.3.6.0
    ibm rational asset analyzer 6.1.0.23
    ibm spectrum protect plus 10.1.6
    ibm cloud private 3.2.2 cd
    ibm cloud application business insights 1.1.4
    ibm cloud application business insights 1.1.3