IBM WebSphere Lombardi Edition 'Coach' Script HTML Injection Vulnerability

Bugtraq ID:	52104
Class:	Input Validation Error
CVE:	CVE-2012-0707
Remote:	Yes
Local:	No
Published:	Feb 21 2012 12:00AM
Updated:	Feb 24 2012 05:30PM
Credit:	The vendor reported this issue.
Vulnerable:	IBM WebSphere Lombardi Edition 7.2
Not Vulnerable:

IBM WebSphere Lombardi Edition 'Coach' Script HTML Injection Vulnerability

IBM WebSphere Lombardi Edition is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.

WebSphere Lombardi Edition 7.2 is vulnerable; other versions may also be affected.

IBM WebSphere Lombardi Edition 'Coach' Script HTML Injection Vulnerability

Attackers can exploit this issue with a browser.

IBM WebSphere Lombardi Edition 'Coach' Script HTML Injection Vulnerability

Solution:
Vendor patch is available. Please see the references for more information.

IBM WebSphere Lombardi Edition 'Coach' Script HTML Injection Vulnerability

References:

• IC79890: ESCAPE-USER-INPUT DOES NOT WORK ON A COACH WITH A DOCUMENT ATTACHMENT C (IBM)
  
• WebSphere Lombardi Edition Homepage (IBM)