ID

VAR-202004-1753


CVE

CVE-2020-4304


TITLE

IBM WebSphere Application Server - Liberty Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003565

DESCRIPTION

IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. Vendor exploits this vulnerability IBM X-Force ID: 176670 It is published as.Information may be obtained and tampered with. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2020-4304 // JVNDB: JVNDB-2020-003565 // CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4304

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-22194

AFFECTED PRODUCTS

vendor:ibmmodel:websphere application serverscope:gteversion:17.0.0.3

Trust: 1.0

vendor:ibmmodel:websphere application serverscope:lteversion:20.0.0.3

Trust: 1.0

vendor:ibmmodel:websphere application serverscope:eqversion:17.0.0.3 から 20.0.0.3

Trust: 0.8

vendor:ibmmodel:websphere application server libertyscope:gteversion:17.0.0.3,<=20.0.0.3

Trust: 0.6

sources: CNVD: CNVD-2020-22194 // JVNDB: JVNDB-2020-003565 // NVD: CVE-2020-4304

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-4304
value: MEDIUM

Trust: 1.0

psirt@us.ibm.com: CVE-2020-4304
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-003565
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-22194
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202003-1745
value: MEDIUM

Trust: 0.6

VULMON: CVE-2020-4304
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-4304
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-003565
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-22194
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-4304
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

psirt@us.ibm.com: CVE-2020-4304
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-003565
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4304 // JVNDB: JVNDB-2020-003565 // CNNVD: CNNVD-202003-1745 // NVD: CVE-2020-4304 // NVD: CVE-2020-4304

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-003565 // NVD: CVE-2020-4304

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1745

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-1745

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003565

PATCH

title:6147195url:https://www.ibm.com/support/pages/node/6147195

Trust: 0.8

title:ibm-websphere-cve20204304-xss (176670)url:https://exchange.xforce.ibmcloud.com/vulnerabilities/176670

Trust: 0.8

title:Patch for IBM WebSphere Application Server Liberty cross-site scripting vulnerability (CNVD-2020-22194)url:https://www.cnvd.org.cn/patchInfo/show/213101

Trust: 0.6

title:IBM WebSphere Application Server Liberty Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=113140

Trust: 0.6

title:Red Hat: Moderate: Open Liberty 20.0.0.4 Runtime security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201428 - Security Advisory

Trust: 0.1

title:IBM: Security Bulletin: Websphere Application Server Liberty vulnerabilities used by IBM Streamsurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=3b8ffe02148f1db99a0e458cbaf7c612

Trust: 0.1

title:IBM: Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Acceleratorurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=a24e06700e95b219544a9d80f5852dcc

Trust: 0.1

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4304 // JVNDB: JVNDB-2020-003565 // CNNVD: CNNVD-202003-1745

EXTERNAL IDS

db:NVDid:CVE-2020-4304

Trust: 3.1

db:JVNDBid:JVNDB-2020-003565

Trust: 0.8

db:CNVDid:CNVD-2020-22194

Trust: 0.6

db:AUSCERTid:ESB-2020.1298

Trust: 0.6

db:AUSCERTid:ESB-2020.1283

Trust: 0.6

db:AUSCERTid:ESB-2020.2213

Trust: 0.6

db:AUSCERTid:ESB-2020.1732.2

Trust: 0.6

db:AUSCERTid:ESB-2020.1732

Trust: 0.6

db:AUSCERTid:ESB-2020.1161

Trust: 0.6

db:NSFOCUSid:47992

Trust: 0.6

db:CNNVDid:CNNVD-202003-1745

Trust: 0.6

db:VULMONid:CVE-2020-4304

Trust: 0.1

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4304 // JVNDB: JVNDB-2020-003565 // CNNVD: CNNVD-202003-1745 // NVD: CVE-2020-4304

REFERENCES

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/176670

Trust: 1.8

url:https://www.ibm.com/support/pages/node/6147195

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-4304

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-4304

Trust: 0.8

url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-cve-2020-4303-cve-2020-4304/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilities-has-been-identified-in-websphere-liberty-profile-shipped-with-ibm-license-metric-tool-v9/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-the-ibm-performance-management-product/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-asset-analyzer-raa-is-affected-by-two-websphere-application-server-vulnerabilities/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-network-deployment-security-vulnerabilities-in-ibm-content-foundation-on-cloud-2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-websphere-liberty-affects-ibm-waston-machine-learning-accelerator/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2213/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in-ibm-websphere-application-server-affects-ibm-voice-gateway-2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-that-affects-liberty-for-java-for-ibm-cloud-cve-2020-4303-cve-2020-4304/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1732.2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-vulnerabilities-used-by-ibm-streams-3/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1283/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1161/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-middleware-software-affect-ibm-cloud-pak-for-automation-2/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-ibm-websphere-application-server-liberty-vulnerabilities-cve-2020-4303-cve-2020-4304/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-websphere-liberty-server-wlp-affects-ibm-cloud-application-business-insights/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1298/

Trust: 0.6

url:http-server-and-ibm-websphere-application-server-used-in-ibm-websphere-application-server-in-ibm-cloud/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1732/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-speech-icp-websphere-application-server-liberty-fix-5/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-xss-vulnerabilities-affect-ibm-control-center-cve-2020-4303-cve-2020-4304/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-cve-2020-4303-cve-2020-4304-2/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/47992

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:1428

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4304 // JVNDB: JVNDB-2020-003565 // CNNVD: CNNVD-202003-1745 // NVD: CVE-2020-4304

SOURCES

db:CNVDid:CNVD-2020-22194
db:VULMONid:CVE-2020-4304
db:JVNDBid:JVNDB-2020-003565
db:CNNVDid:CNNVD-202003-1745
db:NVDid:CVE-2020-4304

LAST UPDATE DATE

2024-08-14T13:24:36.533000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-22194date:2020-04-09T00:00:00
db:VULMONid:CVE-2020-4304date:2020-04-02T00:00:00
db:JVNDBid:JVNDB-2020-003565date:2020-04-20T00:00:00
db:CNNVDid:CNNVD-202003-1745date:2021-03-01T00:00:00
db:NVDid:CVE-2020-4304date:2020-04-02T20:59:22.783

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-22194date:2020-04-09T00:00:00
db:VULMONid:CVE-2020-4304date:2020-04-02T00:00:00
db:JVNDBid:JVNDB-2020-003565date:2020-04-20T00:00:00
db:CNNVDid:CNNVD-202003-1745date:2020-03-31T00:00:00
db:NVDid:CVE-2020-4304date:2020-04-02T15:15:17.780