You are viewing this page in an unauthorized frame window.

U.S. flag

An official website of the United States government Here's how you know

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology Laboratory

National Vulnerability Database

CVE-2024-35153 Detail

Description

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 292640.

Metrics

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings: NIST: NVD NVD assessment not yet provided. CVSS 3.x Severity and Vector Strings: CNA: IBM Corporation Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0 Severity and Vector Strings:

NIST: NVD NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/292640	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/7158662	Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	IBM Corporation

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

2 change records found show changes

Initial Analysis by NIST 8/02/2024 11:24:29 AM

OR *cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:* versions from (including) 8.5.0.0 up to (excluding) 8.5.5.26 *cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:* versions from (including) 9.0.0.0 up to (excluding) 9.0.5.21

NIST AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

https://exchange.xforce.ibmcloud.com/vulnerabilities/292640 No Types Assigned

https://exchange.xforce.ibmcloud.com/vulnerabilities/292640 VDB Entry, Vendor Advisory

https://www.ibm.com/support/pages/node/7158662 No Types Assigned

https://www.ibm.com/support/pages/node/7158662 Vendor Advisory

New CVE Received by NIST 6/27/2024 2:15:18 PM

IBM Corporation AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

IBM Corporation CWE-79

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 292640.

IBM Corporation https://exchange.xforce.ibmcloud.com/vulnerabilities/292640 [No types assigned]

IBM Corporation https://www.ibm.com/support/pages/node/7158662 [No types assigned]

Quick Info

CVE Dictionary Entry:
CVE-2024-35153
NVD Published Date:
06/27/2024
NVD Last Modified:
08/02/2024
Source:
IBM Corporation

twitter (link is external)
facebook (link is external)
linkedin (link is external)
youtube (link is external)
rss
govdelivery (link is external)

HEADQUARTERS
100 Bureau Drive
Gaithersburg, MD 20899
(301) 975-2000

Incident Response Assistance and Non-NVD Related
Technical Cyber Security Questions:
US-CERT Security Operations Center
Email: soc@us-cert.gov
Phone: 1-888-282-0870