CVE-2009-0856
Description
Multiple cross-site scripting (XSS) vulnerabilities in sample applications in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, and 6.1 before 6.1.0.23 on z/OS, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in IBM WebSphere Application Server sample applications allow arbitrary script injection on z/OS before fixes.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in the sample applications shipped with IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, and 6.1 before 6.1.0.23 on z/OS. The official description states that unspecified vectors allow injection of arbitrary web script or HTML. The associated APAR PK81212 [1] lists defect PK76720 as fixing these XSS issues in the sample applications [1]. No further technical details on the vulnerable parameters or conditions are disclosed in the available references.
Exploitation
Remote attackers can exploit these vulnerabilities without requiring authentication or special privileges, as the sample applications are typically accessible without credentials in default configurations. The attack vector is via the network, sending crafted HTTP requests to the sample application pages. No user interaction beyond visiting the crafted URL is required. The exact injection points are not publicly disclosed in the provided references.
Impact
Successful exploitation allows an attacker to execute arbitrary web script or HTML in the context of the victim's browser session. This could lead to session hijacking, credential theft, defacement, or other actions that the victim user can perform within the affected WebSphere environment. The impact is limited to the confidentiality and integrity of data accessible to the victim's session, but does not grant direct server-side code execution.
Mitigation
The vulnerabilities are fixed in WebSphere Application Server 6.0.2.35 and 6.1.0.23 (z/OS). IBM has released the APAR fix PK81212 [1], which includes the correction. Users should apply the appropriate fix pack as soon as possible. No workarounds are documented in the provided references. The CVE is not known to be listed on the KEV catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*+ 24 more
- cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*
- (no CPE)range: <6.0.2.35 (6.0.2) and <6.1.0.23 (6.1 on z/OS)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www-01.ibm.com/support/docview.wssnvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/0607nvdVendor Advisory
- www.vupen.com/english/advisories/2009/1464nvdVendor Advisory
- securitytracker.com/idnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www.securityfocus.com/bid/34001nvd
News mentions
0No linked articles in our index yet.