Multiple vulnerabilities have been reported in IBM WebSphere Application Server, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks.

1) An error exists in a WS-Security policy enabled JAX-WS and JAX-RPC application.

For more information see vulnerability #1 in:
SA46469

This vulnerability is reported in versions 6.0.2 through 6.0.2.43, 6.1 through 6.1.0.41, 7.0 through 7.0.0.21, and 8.0 through 8.0.0.2.

2) Certain unspecified input passed to the integration solution console component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

This may be related to:
SA43093

3) Certain unspecified input passed to the cheatSheetPackage component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities #2 and #3 are reported in versions prior to 6.1.0.43, 7.0.0.23, or 8.0.0.3.

Solution
Apply APAR PM59115 and PM59119 or update to version 6.1.0.43 (Fix Pack 43), 7.0.0.23 (Fix Pack 23), or 8.0.0.3 (Fix Pack 3).

Provided and/or discovered by
Reported by the vendor.

Changelog
Further details available to Secunia VIM customers

Original Advisory
IBM (PM45181, PM52274, PM53132):
http://www.ibm.com/support/docview.wss?uid=swg1PM59115
http://www.ibm.com/support/docview.wss?uid=swg1PM59119
http://www.ibm.com/support/docview.wss?uid=swg27007951
http://www.ibm.com/support/docview.wss?uid=swg27022958
http://www.ibm.com/support/docview.wss?uid=swg27014463
http://www.ibm.com/support/docview.wss?uid=swg21587536

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers