Unrated severityNVD Advisory· Published Dec 2, 2009· Updated Apr 23, 2026

CVE-2009-4152

Description

Cross-site scripting (XSS) vulnerability in the Collaboration component in IBM WebSphere Portal 6.1.x before 6.1.0.3 allows remote attackers to inject arbitrary web script or HTML via the people picker tag.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM WebSphere Portal 6.1.x before 6.1.0.3 has a stored XSS in the Collaboration component's people picker tag, allowing arbitrary script injection.

Vulnerability

The Collaboration component in IBM WebSphere Portal 6.1.x before version 6.1.0.3 contains a cross-site scripting (XSS) vulnerability. The flaw resides in the people picker tag, which does not properly sanitize user input, allowing injection of arbitrary web script or HTML.

Exploitation

A remote attacker can exploit this vulnerability by crafting a malicious request that includes injected script in the people picker tag. The attack does not require authentication but may rely on user interaction, such as clicking a crafted link, to trigger the XSS in the context of the victim's browser.

Impact

Successful exploitation allows the attacker to execute arbitrary script in the browser of an authenticated user. This can lead to session hijacking, information disclosure, or unauthorized actions within the portal, compromising the confidentiality and integrity of user data.

Mitigation

IBM WebSphere Portal version 6.1.0.3 contains the fix for this vulnerability. Users should upgrade to this version or later. No workarounds are documented in the available references.

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

IBM/Websphere Portal4 versions
cpe:2.3:a:ibm:websphere_portal:6.1.0.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:ibm:websphere_portal:6.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:6.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:6.1.0.2:*:*:*:*:*:*:*
- (no CPE)range: <6.1.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/37526nvdVendor Advisory
www.vupen.com/english/advisories/2009/3367nvdVendor Advisory
www-01.ibm.com/support/docview.wssnvd
www-01.ibm.com/support/docview.wssnvd
www.securityfocus.com/bid/37159nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000