A fix is available
APAR status
Closed as fixed if next.
Error description
The application session token does not have the "HttpOnly" attribute set when it is created. The session token is set without the 'HttpOnly' attribute meaning that client-side scripts, such as JavaScript, can access it. As such, any Cross-site Scripting (XSS) vulnerabilities within theApplication that allow for the injection of JavaScript can be used to hijack the victim s session.
Local fix
Not available
Problem summary
The application session token has the 'HttpOnly' attribute set. Fix will be available in next major releases. For a list of the latest fix packs available, please see: http://www-01.ibm.com/support/docview.wss?uid=swg21237631
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
IT02094
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
402
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-05-28
Closed date
2014-07-01
Last modified date
2014-07-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
R700 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022