CVE-2023-26283: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server 9.0 was identified with a cross-site scripting (XSS) vulnerability tracked as CVE-2023-26283. The vulnerability was discovered in February 2023 and publicly disclosed in March 2023. This security flaw affects the Admin Console component of WebSphere Application Server version 9.0 through 9.0.5.14 (IBM Advisory).

The vulnerability allows attackers to embed arbitrary JavaScript code in the Web UI of the Admin Console. It has been assigned a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with potential impacts on confidentiality and integrity (NVD).

When successfully exploited, this vulnerability can lead to the alteration of intended functionality and potentially result in credentials disclosure within a trusted session. The attack can compromise both confidentiality and integrity of the system, though it does not affect system availability (IBM Advisory).

IBM has released fixes for this vulnerability and strongly recommends immediate remediation. Users can address the vulnerability by either applying the interim fix PH52925 or upgrading to Fix Pack 9.0.5.15 or later (targeted availability 2Q2023). For versions 9.0.0.0 through 9.0.5.14, users must first upgrade to the minimal fix pack levels as required by the interim fix before applying PH52925 (IBM Advisory).