IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to identity spoofing by an authenticated user due to improper signature validation. IBM X-Force ID: 294721.
https://www.ibm.com/support/pages/node/7158031
https://www.ibm.com/support/pages/node/7158031