ID

VAR-202004-1752


CVE

CVE-2020-4303


TITLE

IBM WebSphere Application Server - Liberty Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003564

DESCRIPTION

IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668. Vendor exploits this vulnerability IBM X-Force ID: 176668 It is published as.Information may be obtained and tampered with. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2020-4303 // JVNDB: JVNDB-2020-003564 // CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4303

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-22194

AFFECTED PRODUCTS

vendor:ibmmodel:websphere application serverscope:gteversion:17.0.0.3

Trust: 1.0

vendor:ibmmodel:websphere application serverscope:lteversion:20.0.0.3

Trust: 1.0

vendor:ibmmodel:websphere application serverscope:eqversion:17.0.0.3 から 20.0.0.3

Trust: 0.8

vendor:ibmmodel:websphere application server libertyscope:gteversion:17.0.0.3,<=20.0.0.3

Trust: 0.6

sources: CNVD: CNVD-2020-22194 // JVNDB: JVNDB-2020-003564 // NVD: CVE-2020-4303

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-4303
value: MEDIUM

Trust: 1.0

psirt@us.ibm.com: CVE-2020-4303
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-003564
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-22194
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202003-1742
value: MEDIUM

Trust: 0.6

VULMON: CVE-2020-4303
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-4303
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-003564
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-22194
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-4303
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

psirt@us.ibm.com: CVE-2020-4303
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-003564
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4303 // JVNDB: JVNDB-2020-003564 // CNNVD: CNNVD-202003-1742 // NVD: CVE-2020-4303 // NVD: CVE-2020-4303

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-003564 // NVD: CVE-2020-4303

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1742

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-1742

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003564

PATCH

title:6147195url:https://www.ibm.com/support/pages/node/6147195

Trust: 0.8

title:ibm-websphere-cve20204303-xss (176668)url:https://exchange.xforce.ibmcloud.com/vulnerabilities/176668

Trust: 0.8

title:Patch for IBM WebSphere Application Server Liberty cross-site scripting vulnerability (CNVD-2020-22194)url:https://www.cnvd.org.cn/patchInfo/show/213101

Trust: 0.6

title:IBM WebSphere Application Server Liberty Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=115374

Trust: 0.6

title:Red Hat: Moderate: Open Liberty 20.0.0.4 Runtime security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201428 - Security Advisory

Trust: 0.1

title:IBM: Security Bulletin: Websphere Application Server Liberty vulnerabilities used by IBM Streamsurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=3b8ffe02148f1db99a0e458cbaf7c612

Trust: 0.1

title:IBM: Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Acceleratorurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=a24e06700e95b219544a9d80f5852dcc

Trust: 0.1

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4303 // JVNDB: JVNDB-2020-003564 // CNNVD: CNNVD-202003-1742

EXTERNAL IDS

db:NVDid:CVE-2020-4303

Trust: 3.1

db:JVNDBid:JVNDB-2020-003564

Trust: 0.8

db:CNVDid:CNVD-2020-22194

Trust: 0.6

db:NSFOCUSid:47978

Trust: 0.6

db:AUSCERTid:ESB-2020.1298

Trust: 0.6

db:AUSCERTid:ESB-2020.1283

Trust: 0.6

db:AUSCERTid:ESB-2020.2213

Trust: 0.6

db:AUSCERTid:ESB-2020.1732.2

Trust: 0.6

db:AUSCERTid:ESB-2020.1732

Trust: 0.6

db:AUSCERTid:ESB-2020.1161

Trust: 0.6

db:CNNVDid:CNNVD-202003-1742

Trust: 0.6

db:VULMONid:CVE-2020-4303

Trust: 0.1

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4303 // JVNDB: JVNDB-2020-003564 // CNNVD: CNNVD-202003-1742 // NVD: CVE-2020-4303

REFERENCES

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/176668

Trust: 1.8

url:https://www.ibm.com/support/pages/node/6147195

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-4303

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-4303

Trust: 0.8

url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-cve-2020-4303-cve-2020-4304/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilities-has-been-identified-in-websphere-liberty-profile-shipped-with-ibm-license-metric-tool-v9/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-the-ibm-performance-management-product/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-asset-analyzer-raa-is-affected-by-two-websphere-application-server-vulnerabilities/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/47978

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-network-deployment-security-vulnerabilities-in-ibm-content-foundation-on-cloud-2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-websphere-liberty-affects-ibm-waston-machine-learning-accelerator/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2213/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in-ibm-websphere-application-server-affects-ibm-voice-gateway-2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-that-affects-liberty-for-java-for-ibm-cloud-cve-2020-4303-cve-2020-4304/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1732.2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-vulnerabilities-used-by-ibm-streams-3/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1283/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1161/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-middleware-software-affect-ibm-cloud-pak-for-automation-2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-ibm-websphere-application-server-liberty-vulnerabilities-cve-2020-4303-cve-2020-4304/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-websphere-liberty-server-wlp-affects-ibm-cloud-application-business-insights/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1298/

Trust: 0.6

url:http-server-and-ibm-websphere-application-server-used-in-ibm-websphere-application-server-in-ibm-cloud/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1732/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-speech-icp-websphere-application-server-liberty-fix-5/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-xss-vulnerabilities-affect-ibm-control-center-cve-2020-4303-cve-2020-4304/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-cve-2020-4303-cve-2020-4304-2/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:1428

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4303 // JVNDB: JVNDB-2020-003564 // CNNVD: CNNVD-202003-1742 // NVD: CVE-2020-4303

SOURCES

db:CNVDid:CNVD-2020-22194
db:VULMONid:CVE-2020-4303
db:JVNDBid:JVNDB-2020-003564
db:CNNVDid:CNNVD-202003-1742
db:NVDid:CVE-2020-4303

LAST UPDATE DATE

2024-08-14T13:24:36.500000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-22194date:2020-04-09T00:00:00
db:VULMONid:CVE-2020-4303date:2020-04-02T00:00:00
db:JVNDBid:JVNDB-2020-003564date:2020-04-20T00:00:00
db:CNNVDid:CNNVD-202003-1742date:2021-03-01T00:00:00
db:NVDid:CVE-2020-4303date:2020-04-02T21:00:48.317

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-22194date:2020-04-09T00:00:00
db:VULMONid:CVE-2020-4303date:2020-04-02T00:00:00
db:JVNDBid:JVNDB-2020-003564date:2020-04-20T00:00:00
db:CNNVDid:CNNVD-202003-1742date:2020-03-31T00:00:00
db:NVDid:CVE-2020-4303date:2020-04-02T15:15:17.717