IBM fixed a cross-site scripting vulnerability in its Worklight and MobileFirst products that could have let an attacker steal sensitive information. Gabriele Gristina, a security consultant for the Italian information security firm Emaze Networks, first found the bug last summer, on August 29, 2016. The vulnerability (CVE-2017-1500) lingered in the products for almost a year. The problem is that the framework didn t properly validate the untrusted input in an authorization function exposed by the RESTful web API.
Source: https://threatpost.com/ibm-patches-reflected-xss-in-worklight-mobilefirst/127162/