VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 18, 2010· Updated Apr 29, 2026

CVE-2010-2325

CVE-2010-2325

Description

Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in IBM WebSphere Application Server 7.0 for z/OS administrative console allows remote attackers to inject arbitrary web script via URL injection.

Vulnerability

IBM WebSphere Application Server (WAS) 7.0 for z/OS before version 7.0.0.11 contains a cross-site scripting (XSS) vulnerability in the administrative console. The issue is related to "URL injection" via unspecified vectors, allowing injection of arbitrary web script or HTML. Affected versions are WAS 7.0.0.0 through 7.0.0.10 on z/OS. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed by an authenticated administrator, injects script into the administrative console. No authentication is required for the attacker to deliver the payload, but the victim must be logged into the console. The attack vector is network-based, requiring the attacker to trick an administrator into clicking a crafted link or visiting a malicious page. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the administrative console session. This could lead to session hijacking, defacement, or theft of sensitive information accessible to the administrator. The impact is limited to the browser session of the victim administrator. [1]

Mitigation

IBM released fix pack 7.0.0.11 for WebSphere Application Server V7.0 for z/OS, which includes the fix for this vulnerability. The fix is available via APAR PM15830. Users should upgrade to version 7.0.0.11 or later. No workarounds are documented in the available reference. [1]

References
  1. PM15830: SHIP APAR FIXES FOR H28W700 FIX PACK 7.0.0.11.

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

12
  • IBM/Websphere Application Server12 versions
    cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*range: <=7.0.0.10
    • cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*
    • (no CPE)range: <7.0.0.11

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.