CVE-2020-4304: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server - Liberty versions 17.0.0.3 through 20.0.0.3 was found to be vulnerable to cross-site scripting (XSS). This vulnerability affects the OAuth, OpenID Connect, and SAML features of the application server. The issue was disclosed and addressed in March 2020 (IBM Security).

The vulnerability allows users to embed arbitrary JavaScript code in the Web UI, which can alter the intended functionality and potentially lead to credentials disclosure within a trusted session. The vulnerability has been assigned a CVSS Base score of 6.1 with a vector of (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), indicating a moderate severity level (IBM Security).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' sessions, potentially leading to the disclosure of sensitive credentials and compromising user sessions (IBM Security).

IBM recommends applying either the interim fix PH22080 or upgrading to Liberty Fix Pack 20.0.0.4 or later. For affected versions (17.0.0.3 - 20.0.0.3) using the oauth-2.0, openidConnectServer-1.0, openidConnectClient-1.0, or samlWeb-2.0 features, users should upgrade to the minimal fix pack levels as required by the interim fix. No workarounds are available for this vulnerability (IBM Security).