An old (but still used) version of the IBM WebSphere Application Server (WAS) Integrated Solutions Console administrative application–used as the administrative console to configure and administer the WebSphere Application Server–contains a reflected cross-site scripting vulnerability.

The full details are released over at OSVDB. The affected version is 7.0.0.19, which is after the 7.0.0.13 version that fixes various unspecified XSS instances released by previous CVEs.

This was fun to write up because the vulnerable input vector is the User ID box (HTML id of “username”):

Login page

Once a XSS payload is supplied and the user is redirected into the application upon login, it executes as part of the “Welcome [username]” message at the top of the administrative dashboard:

Dashboard