Vulnerability Details CVE-2009-2405
Multiple cross-site scripting (XSS) vulnerabilities in the Web Console in the Application Server in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08, 4.2.2GA, 4.3 before 4.3.0.CP07, and 5.1.0GA allow remote attackers to inject arbitrary web script or HTML via the (1) monitorName, (2) objectName, (3) attribute, or (4) period parameter to createSnapshot.jsp, or the (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9) period, or (10) enabled parameter to createThresholdMonitor.jsp. NOTE: some of these details are obtained from third party information.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.8%
CVSS Severity
CVSS v2 Score 4.3
References
- http://secunia.com/advisories/35680
- http://secunia.com/advisories/37671
- http://securitytracker.com/id?1023315
- http://www.osvdb.org/60898
- http://www.osvdb.org/60899
- http://www.securityfocus.com/bid/37276
- https://bugzilla.redhat.com/show_bug.cgi?id=510023
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54700
- https://jira.jboss.org/jira/browse/JBAS-7105
- https://jira.jboss.org/jira/browse/JBPAPP-2274
- https://jira.jboss.org/jira/browse/JBPAPP-2284
- https://rhn.redhat.com/errata/RHSA-2009-1636.html
- https://rhn.redhat.com/errata/RHSA-2009-1637.html
- https://rhn.redhat.com/errata/RHSA-2009-1649.html
- https://rhn.redhat.com/errata/RHSA-2009-1650.html
- http://secunia.com/advisories/35680
- http://secunia.com/advisories/37671
- http://securitytracker.com/id?1023315
- http://www.osvdb.org/60898
- http://www.osvdb.org/60899
- http://www.securityfocus.com/bid/37276
- https://bugzilla.redhat.com/show_bug.cgi?id=510023
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54700
- https://jira.jboss.org/jira/browse/JBAS-7105
- https://jira.jboss.org/jira/browse/JBPAPP-2274
- https://jira.jboss.org/jira/browse/JBPAPP-2284
- https://rhn.redhat.com/errata/RHSA-2009-1636.html
- https://rhn.redhat.com/errata/RHSA-2009-1637.html
- https://rhn.redhat.com/errata/RHSA-2009-1649.html
- https://rhn.redhat.com/errata/RHSA-2009-1650.html
Products affected by CVE-2009-2405
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.2
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0