CVE-2022-22477: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 8.5 and 9.0 were identified with a cross-site scripting (XSS) vulnerability tracked as CVE-2022-22477. The vulnerability was discovered on January 3, 2022, and allows attackers to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure within a trusted session (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impacts on both confidentiality and integrity (NVD).

The vulnerability allows malicious actors to embed arbitrary JavaScript code in the Web UI, which can alter the intended functionality of the application. The primary risk is the potential disclosure of credentials within a trusted session, compromising user authentication security (IBM Advisory).

IBM recommends addressing the vulnerability by applying interim fix PH50116 or upgrading to specific fix pack versions. For WebSphere Application Server V9.0.0.0 through 9.0.5.13, users should upgrade to Fix Pack 9.0.5.14 or later. For V8.5.0.0 through 8.5.5.22, users should upgrade to Fix Pack 8.5.5.23 or later. No workarounds are available for this vulnerability (IBM Advisory).