WebSphere Lombardi Edition uses a mechanism to silently login users who have previously authenticated themselves. This mechanism is vulnerable to cross-site scripting attacks.
CVE ID:CVE-2014-6101
**DESCRIPTION:**WebSphere Lombardi Edition is vulnerable to cross-site scripting, which is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the user’s cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96024> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
WebSphere Lombardi Edition V7.2
Install the interim fix for APAR IT04509 as appropriate for your current WebSphere Lombardi Edition version.
The attack requires a user to access a malicious URL that the attacker has constructed for this purpose. Advise your users not to click links of unknown or untrusted origins.