CVE-2016-3042

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Web UI of IBM WebSphere Application Server Liberty prior to version 16.0.0.3 [1]. The flaw resides in OpenID Connect client configuration pages, where user-supplied input is not properly sanitized before rendering. The affected version range is any Liberty release before 16.0.0.3. Exploitation requires an authenticated user with access to modify OpenID Connect client settings.

Exploitation

An attacker must have valid credentials for the WebSphere Liberty administrative console or a similar authenticated interface where OpenID Connect clients can be configured [1]. The attacker then crafts a malicious script or HTML payload and injects it into an input field that is processed by the OpenID Connect client functionality. When the payload is later rendered in the Web UI, it executes within the security context of the current user session.

Impact

Successful exploitation leads to cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the browser of other authenticated users who view the affected page [1]. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates limited confidentiality and integrity impact, but the attacker could potentially steal session cookies, perform actions on behalf of the victim, or deface the administrative interface. The scope is changed because the injected script can affect resources beyond the vulnerable component.

Mitigation

IBM recommends upgrading to WebSphere Application Server Liberty Fix Pack 16.0.0.3 or later, or applying Interim Fix PI64790 to any supported fix pack level [1]. No workarounds are documented. The fix addresses the improper input sanitization in the OpenID Connect client UI.