Sign-up

ID

VAR-202004-1753


CVE

CVE-2020-4304


TITLE

IBM WebSphere Application Server - Liberty Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003565

DESCRIPTION

IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. Vendor exploits this vulnerability IBM X-Force ID: 176670 It is published as.Information may be obtained and tampered with. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2020-4304 // JVNDB: JVNDB-2020-003565 // CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4304

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-22194

AFFECTED PRODUCTS

vendor:ibmmodel:websphere application serverscope:gteversion:17.0.0.3

Trust: 1.0

vendor:ibmmodel:websphere application serverscope:lteversion:20.0.0.3

Trust: 1.0

vendor:ibmmodel:websphere application serverscope:eqversion:17.0.0.3 から 20.0.0.3

Trust: 0.8

vendor:ibmmodel:websphere application server libertyscope:gteversion:17.0.0.3,<=20.0.0.3

Trust: 0.6

sources: CNVD: CNVD-2020-22194 // JVNDB: JVNDB-2020-003565 // NVD: CVE-2020-4304

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-4304
value: MEDIUM

Trust: 1.0

psirt@us.ibm.com: CVE-2020-4304
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-003565
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-22194
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202003-1745
value: MEDIUM

Trust: 0.6

VULMON: CVE-2020-4304
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-4304
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-003565
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-22194
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-4304
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

psirt@us.ibm.com: CVE-2020-4304
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-003565
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-22194 // VULMON: CVE-2020-4304 // JVNDB: JVNDB-2020-003565 // CNNVD: CNNVD-202003-1745 // NVD: CVE-2020-4304 // NVD: CVE-2020-4304

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-003565 // NVD: CVE-2020-4304

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1745

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-1745

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003565

PATCH
title:6147195url:https://www.ibm.com/support/pages/node/6147195
Trust: 0.8
title:ibm-websphere-cve20204304-xss (176670)url:https://exchange.xforce.ibmcloud.com/vulnerabilities/176670
Trust: 0.8
title:Patch for IBM WebSphere Application Server Liberty cross-site scripting vulnerability (CNVD-2020-22194)url:https://www.cnvd.org.cn/patchInfo/show/213101
Trust: 0.6
title:IBM WebSphere Application Server Liberty Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=113140
Trust: 0.6
title:Red Hat: Moderate: Open Liberty 20.0.0.4 Runtime security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201428 - Security Advisory
Trust: 0.1
title:IBM: Security Bulletin:  Websphere Application Server Liberty vulnerabilities used by IBM Streamsurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=3b8ffe02148f1db99a0e458cbaf7c612
Trust: 0.1
title:IBM: Security Bulletin:  Vulnerabilities in IBM WebSphere Liberty affects IBM Waston Machine Learning Acceleratorurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=a24e06700e95b219544a9d80f5852dcc
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-22194 // 
            
            
            
            VULMON: CVE-2020-4304 // 
            
            
            
            JVNDB: JVNDB-2020-003565 // 
            
            
            
            CNNVD: CNNVD-202003-1745

EXTERNAL IDS
db:NVDid:CVE-2020-4304
Trust: 3.1
db:JVNDBid:JVNDB-2020-003565
Trust: 0.8
db:CNVDid:CNVD-2020-22194
Trust: 0.6
db:AUSCERTid:ESB-2020.1298
Trust: 0.6
db:AUSCERTid:ESB-2020.1283
Trust: 0.6
db:AUSCERTid:ESB-2020.2213
Trust: 0.6
db:AUSCERTid:ESB-2020.1732.2
Trust: 0.6
db:AUSCERTid:ESB-2020.1732
Trust: 0.6
db:AUSCERTid:ESB-2020.1161
Trust: 0.6
db:NSFOCUSid:47992
Trust: 0.6
db:CNNVDid:CNNVD-202003-1745
Trust: 0.6
db:VULMONid:CVE-2020-4304
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-22194 // 
            
            
            
            VULMON: CVE-2020-4304 // 
            
            
            
            JVNDB: JVNDB-2020-003565 // 
            
            
            
            CNNVD: CNNVD-202003-1745 // 
            
            
            
            NVD: CVE-2020-4304

REFERENCES
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/176670
Trust: 1.8
url:https://www.ibm.com/support/pages/node/6147195
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-4304
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-4304
Trust: 0.8
url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-cve-2020-4303-cve-2020-4304/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilities-has-been-identified-in-websphere-liberty-profile-shipped-with-ibm-license-metric-tool-v9/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-the-ibm-performance-management-product/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-asset-analyzer-raa-is-affected-by-two-websphere-application-server-vulnerabilities/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-network-deployment-security-vulnerabilities-in-ibm-content-foundation-on-cloud-2/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-websphere-liberty-affects-ibm-waston-machine-learning-accelerator/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.2213/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in-ibm-websphere-application-server-affects-ibm-voice-gateway-2/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-that-affects-liberty-for-java-for-ibm-cloud-cve-2020-4303-cve-2020-4304/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1732.2/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-vulnerabilities-used-by-ibm-streams-3/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1283/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1161/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-middleware-software-affect-ibm-cloud-pak-for-automation-2/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-ibm-websphere-application-server-liberty-vulnerabilities-cve-2020-4303-cve-2020-4304/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-websphere-liberty-server-wlp-affects-ibm-cloud-application-business-insights/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1298/
Trust: 0.6
url:http-server-and-ibm-websphere-application-server-used-in-ibm-websphere-application-server-in-ibm-cloud/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1732/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-speech-icp-websphere-application-server-liberty-fix-5/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-xss-vulnerabilities-affect-ibm-control-center-cve-2020-4303-cve-2020-4304/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-cve-2020-4303-cve-2020-4304-2/
Trust: 0.6
url:http://www.nsfocus.net/vulndb/47992
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://access.redhat.com/errata/rhsa-2020:1428
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-22194 // 
            
            
            
            VULMON: CVE-2020-4304 // 
            
            
            
            JVNDB: JVNDB-2020-003565 // 
            
            
            
            CNNVD: CNNVD-202003-1745 // 
            
            
            
            NVD: CVE-2020-4304

SOURCES
db:CNVDid:CNVD-2020-22194
db:VULMONid:CVE-2020-4304
db:JVNDBid:JVNDB-2020-003565
db:CNNVDid:CNNVD-202003-1745
db:NVDid:CVE-2020-4304

LAST UPDATE DATE
2024-08-14T13:24:36.533000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-22194date:2020-04-09T00:00:00
db:VULMONid:CVE-2020-4304date:2020-04-02T00:00:00
db:JVNDBid:JVNDB-2020-003565date:2020-04-20T00:00:00
db:CNNVDid:CNNVD-202003-1745date:2021-03-01T00:00:00
db:NVDid:CVE-2020-4304date:2020-04-02T20:59:22.783

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-22194date:2020-04-09T00:00:00
db:VULMONid:CVE-2020-4304date:2020-04-02T00:00:00
db:JVNDBid:JVNDB-2020-003565date:2020-04-20T00:00:00
db:CNNVDid:CNNVD-202003-1745date:2020-03-31T00:00:00
db:NVDid:CVE-2020-4304date:2020-04-02T15:15:17.780