CVE-2009-2405 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Web Console in the Application Server in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08 4.2.2GA 4.3 before 4.3.0.CP07 and 5.1.0GA allow remote attackers to inject arbitrary web script or HTML via the (1) monitorName (2) objectName (3) attribute or (4) period parameter to createSnapshot.jsp or the (5) monitorName (6) objectName (7) attribute (8) threshold (9) period or (10) enabled parameter to createThresholdMonitor.jsp. NOTE: some of these details are obtained from third party information.

Reference

http://secunia.com/advisories/35680 http://secunia.com/advisories/37671 http://securitytracker.com/id?1023315 http://www.osvdb.org/60898 http://www.osvdb.org/60899 http://www.securityfocus.com/bid/37276 https://bugzilla.redhat.com/show_bug.cgi?id=510023 https://exchange.xforce.ibmcloud.com/vulnerabilities/54700 https://jira.jboss.org/jira/browse/JBAS-7105 https://jira.jboss.org/jira/browse/JBPAPP-2274 https://jira.jboss.org/jira/browse/JBPAPP-2284 https://rhn.redhat.com/errata/RHSA-2009-1636.html https://rhn.redhat.com/errata/RHSA-2009-1637.html https://rhn.redhat.com/errata/RHSA-2009-1649.html https://rhn.redhat.com/errata/RHSA-2009-1650.html