| VID |
21532 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IBM WebSphere Application Server has an information disclosure vulnerability when using servlet caching. IBM WebSphere Commerce Suite (WCS) versions 5.5, 5.6, and 5.6.0.1 could allow a remote attacker to obtain sensitive information. Under certain circumstances when using servlet caching, the cache entry for a product or category display page can become linked to a prepolutated form, which may disclose private information, such as the customer's logon ID.
* References:
http://www-1.ibm.com/support/docview.wss?uid=swg21199839
http://secunia.com/advisories/14589/
* Platforms Affected:
IBM WebSphere Commerce Suite 5.5
IBM WebSphere Commerce Suite 5.6
IBM WebSphere Commerce Suite 5.6.0.1
IBM AIX Any version
Linux Any version |
| Recommendation |
For IBM 5.5:
Apply the APAR IY60949 patch, available from the IBM Support and Download Web page at http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173312
For IBM 5.6 and 5.6.0.1:
Apply the fix pack 5.6.0.2 or later, available from the IBM Support and Download Web page at http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21173312 |
| Related URL |
(CVE) |
| Related URL |
12812 (SecurityFocus) |
| Related URL |
19700 (ISS) |
|
