CVE-2018-1643 — Cross-site Scripting in IBM Websphere Application Server

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 38.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Websphere Application Server

Timeline

PublishedNov 15

Latest updateMay 13

Description

The Installation Verification Tool of IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 144588

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDibm/websphere_application_server7.0.0.0 — 7.0.0.45+3

▶CVEListV5ibm/websphere_application_server4 versions+3

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-mw4x-892q-7j7f: The Installation Verification Tool of IBM WebSphere Application Server 7↗2022-05-13

▶

CVEList

CVE-2018-1643: The Installation Verification Tool of IBM WebSphere Application Server 7↗2018-11-15

▶

💥Exploits & PoCs

Exploit-DB

ghostscript - executeonly Bypass with errorhandler Setup↗2018-10-09

▶