Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-0499

Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.

Published

2013-05-28T16:55:01.133

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	ibm	websphere_datapower_xc10_appliance_firmware	3.8.2	Yes
Operating System	ibm	websphere_datapower_xc10_appliance_firmware	4.0	Yes
Operating System	ibm	websphere_datapower_xc10_appliance_firmware	4.0.1	Yes
Operating System	ibm	websphere_datapower_xc10_appliance_firmware	4.0.2	Yes
Operating System	ibm	websphere_datapower_xc10_appliance_firmware	5.0.0	Yes
Hardware	ibm	websphere_datapower_xc10_appliance	-	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	3.8.2	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	4.0	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	4.0.1	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	4.0.2	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	5.0.0	Yes
Hardware	ibm	websphere_datapower_service_gateway_xg45_virtual_edition	-	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_firmware	3.8.2	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_firmware	4.0	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_firmware	4.0.1	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_firmware	4.0.2	Yes
Operating System	ibm	websphere_datapower_service_gateway_xg45_firmware	5.0.0	Yes
Hardware	ibm	websphere_datapower_service_gateway_xg45	-	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	3.8.2	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	4.0	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	4.0.1	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	4.0.2	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	5.0.0	Yes
Hardware	ibm	websphere_datapower_integration_appliance_xi52_virtual_edition	-	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_firmware	3.8.2	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_firmware	4.0	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_firmware	4.0.1	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_firmware	4.0.2	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi52_firmware	5.0.0	Yes
Hardware	ibm	websphere_datapower_integration_appliance_xi52	-	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi50_firmware	3.8.2	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi50_firmware	4.0	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi50_firmware	4.0.1	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi50_firmware	4.0.2	Yes
Operating System	ibm	websphere_datapower_integration_appliance_xi50_firmware	5.0.0	Yes
Hardware	ibm	websphere_datapower_integration_appliance_xi50	-	Yes
Operating System	ibm	websphere_datapower_b2b_appliance_xb62_firmware	3.8.2	Yes
Operating System	ibm	websphere_datapower_b2b_appliance_xb62_firmware	4.0	Yes
Operating System	ibm	websphere_datapower_b2b_appliance_xb62_firmware	4.0.1	Yes
Operating System	ibm	websphere_datapower_b2b_appliance_xb62_firmware	4.0.2	Yes
Operating System	ibm	websphere_datapower_b2b_appliance_xb62_firmware	5.0.0	Yes
Hardware	ibm	websphere_datapower_b2b_appliance_xb62	-	Yes

References

http://seclists.org/bugtraq/2013/May/83 Exploit ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg21637717 Vendor Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/82221 ([email protected])
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt Exploit ([email protected])
http://seclists.org/bugtraq/2013/May/83 Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg21637717 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/82221 (af854a3a-2127-422b-91ae-364da2661108)
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt Exploit (af854a3a-2127-422b-91ae-364da2661108)