VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 12, 2011· Updated Apr 29, 2026

CVE-2011-0315

CVE-2011-0315

Description

Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an error page for an application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM WebSphere Application Server 6.1/7.0 is vulnerable to reflected XSS due to missing error pages, allowing arbitrary script injection.

Vulnerability

IBM WebSphere Application Server (WAS) versions 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 contain a cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component [1]. The issue arises from the lack of an error page for an application, which allows attacker-controlled input to be reflected in error responses without proper sanitization.

Exploitation

A remote attacker can exploit this vulnerability by crafting a malicious URL that includes arbitrary web script or HTML. When a victim visits this crafted URL while accessing a vulnerable WebSphere application, the server returns an error page that reflects the injected script, which then executes in the victim's browser within the security context of the target domain. No authentication is required; the attacker only needs to induce the victim to click the link.

Impact

Successful exploitation allows an attacker to inject arbitrary web script or HTML into the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack scope is the web application's domain, and the impact is limited to the victim's browser (no direct server compromise).

Mitigation

IBM has addressed this issue in WebSphere Application Server versions 6.1.0.35 and 7.0.0.15, available via Fix Central [1]. Organizations should upgrade to the respective fixed versions as soon as possible. There is no indication of this CVE being listed on the KEV. If patching is not immediate, administrators can implement a custom error page for their applications that does not reflect user input, or deploy a Web Application Firewall (WAF) to block malicious requests.

References
  1. Fix list for IBM WebSphere Application Server V7.0

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

35
  • IBM/Websphere Application Server35 versions
    cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*+ 34 more
    • cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.27:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.29:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.31:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.33:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*
    • (no CPE)range: 6.1 < 6.1.0.35, 7.0 < 7.0.0.15

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.