CVE-2009-2405

JBoss Application Server Web Console XSS

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in the Web Console in the Application Server in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08, 4.2.2GA, 4.3 before 4.3.0.CP07, and 5.1.0GA allow remote attackers to inject arbitrary web script or HTML via the (1) monitorName, (2) objectName, (3) attribute, or (4) period parameter to createSnapshot.jsp, or the (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9) period, or (10) enabled parameter to createThresholdMonitor.jsp. NOTE: some of these details are obtained from third party information.

Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en la consola web en el servidor de aplicaciones en Red Hat JBoss Enterprise Application Platform (también conocido como JBoss EAP or JBEAP) v4.2.0 anteriores a v4.2.0.CP08, v4.2.2GA, v4.3 anteriores a v4.3.0.CP07, y v5.1.0GA permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de los parámetros (1) monitorName, (2) objectName, (3) attribute, or (4) period parameter to createSnapshot.jsp, or the (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9) period, or (10) enabled para createThresholdMonitor.jsp. NOTA: Algunos de los detalles fueron obtenidos de terceras partes.

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-07-09 CVE Reserved
2009-12-15 CVE Published
2023-11-08 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (16)

URL	Tag	Source
http://securitytracker.com/id?1023315	Vdb Entry
http://www.osvdb.org/60898	Vdb Entry
http://www.osvdb.org/60899	Vdb Entry
http://www.securityfocus.com/bid/37276	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/54700	Vdb Entry
https://jira.jboss.org/jira/browse/JBAS-7105	X_refsource_misc
https://jira.jboss.org/jira/browse/JBPAPP-2274	X_refsource_misc
https://jira.jboss.org/jira/browse/JBPAPP-2284	X_refsource_misc

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=510023	2009-12-10
https://rhn.redhat.com/errata/RHSA-2009-1636.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1637.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1649.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1650.html	2023-11-07

URL	Date	SRC
http://secunia.com/advisories/35680	2023-11-07
http://secunia.com/advisories/37671	2023-11-07
https://access.redhat.com/security/cve/CVE-2009-2405	2009-12-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2"		cp01		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2"		cp02		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2"		cp03		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0"		cp01		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0"		cp02		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0"		cp03		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0"		cp04		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0"		cp05		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0"		cp06		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0"		cp07		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.2"		ga		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.3 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.3 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3"		cp01		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0"		cp01		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0"		cp02		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0"		cp03		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0"		cp04		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.0"		ga		Affected