Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2405

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2009-2405
Last Modified 16 Dec 2009 12:00:00
Published 15 Dec 2009 01:30:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-2405

Summary

Multiple cross-site scripting (XSS) vulnerabilities in the Web Console in the Application Server in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08, 4.2.2GA, 4.3 before 4.3.0.CP07, and 5.1.0GA allow remote attackers to inject arbitrary web script or HTML via the (1) monitorName, (2) objectName, (3) attribute, or (4) period parameter to createSnapshot.jsp, or the (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9) period, or (10) enabled parameter to createThresholdMonitor.jsp. NOTE: some of these details are obtained from third party information.

Vulnerable Systems

Application

  • Redhat Jboss Enterprise Application Platform 4.2

  • Redhat Jboss Enterprise Application Platform 4.2.0

  • Redhat Jboss Enterprise Application Platform 4.2.2

  • Redhat Jboss Enterprise Application Platform 4.3

  • Redhat Jboss Enterprise Application Platform 4.3.0

  • Redhat Jboss Enterprise Application Platform 5.1.0


References

REDHAT - RHSA-2009:1650

REDHAT - RHSA-2009:1649

REDHAT - RHSA-2009:1637

REDHAT - RHSA-2009:1636

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=510023

MISC - https://jira.jboss.org/jira/browse/JBPAPP-2284

MISC - https://jira.jboss.org/jira/browse/JBPAPP-2274

MISC - https://jira.jboss.org/jira/browse/JBAS-7105

XF - jboss-createsnapshot-xss(54700)

BID - 37276

OSVDB - 60899

OSVDB - 60898

SECTRACK - 1023315

SECUNIA - 37671

SECUNIA - 35680


Last Updated: 27 May 2016 10:50:53