CVE-2020-4303: 
IBM WebSphere App Server vulnerability analysis and mitigation

CVE-2020-4303 is a cross-site scripting vulnerability affecting IBM WebSphere Application Server Liberty versions 17.0.0.3 through 20.0.0.3. The vulnerability was discovered and disclosed in March 2020, specifically impacting the OAuth, OpenID Connect, and SAML features of the application server (IBM Security).

The vulnerability allows users to embed arbitrary JavaScript code in the Web UI, which can alter the intended functionality of the application. It has been assigned a CVSS Base score of 6.1 with a vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a moderate severity level. The attack vector is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (IBM Security).

If exploited, this vulnerability could potentially lead to credentials disclosure within a trusted session. The cross-site scripting attack could allow malicious actors to execute arbitrary JavaScript code in the context of the vulnerable web interface, potentially compromising user sessions and sensitive information (IBM Security).

IBM recommends applying the interim fix or Fix Pack containing APAR PH22080 as the primary mitigation strategy. Users can either upgrade to the minimal fix pack levels and apply Interim Fix PH22080, or apply Liberty Fix Pack 20.0.0.4 or later. No temporary workarounds are available for this vulnerability (IBM Security).