CVE-2013-0499

IBM WebSphere DataPower SOA - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the echo functionality on IBM WebSphere DataPower SOA appliances with firmware 3.8.2, 4.0, 4.0.1, 4.0.2, and 5.0.0 allows remote attackers to inject arbitrary web script or HTML via a SOAP message, as demonstrated by the XML Firewall, Multi Protocol Gateway (MPGW), Web Service Proxy, and Web Token services.

References (4)

[Exploit] http://seclists.org/bugtraq/2013/May/83

[Vendor Advisory] http://www-01.ibm.com/support/docview.wss?uid=swg21637717

[Exploit] https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130523-0_IBM_Xi50_Echo-WebService_Xss_in_Xml_v10.txt

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/82221

Scores

EPSS 0.0026

EPSS Percentile 48.7%

Details

CWE

CWE-79

Status published

Products (43)

ibm/websphere_datapower_xc10_appliance_firmware

ibm/websphere_datapower_xc10_appliance_firmware

ibm/websphere_datapower_xc10_appliance_firmware

ibm/websphere_datapower_xc10_appliance_firmware

ibm/websphere_datapower_xc10_appliance_firmware

ibm/websphere_datapower_xc10_appliance

ibm/websphere_datapower_service_gateway_xg45_virtual_edition_firmware

ibm/websphere_datapower_service_gateway_xg45_virtual_edition_firmware

ibm/websphere_datapower_service_gateway_xg45_virtual_edition_firmware

ibm/websphere_datapower_service_gateway_xg45_virtual_edition_firmware

... and 33 more

Published May 28, 2013

Tracked Since Feb 18, 2026