CVE-2009-3731

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.

Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WebWorks Help v2.0 a la v5.0 en VMware vCenter v4.0 anterior a Update 1 Build 208156; VMware Server v2.0.2; VMware ESX v4.0; VMware Lab Manager v2.x; VMware vCenter Lab Manager v3.x y v4.x anterior a v4.0.1; VMware Stage Manager v1.x anterior a v4.0.1; WebWorks Publisher v6.x a la v8.x; WebWorks Publisher 2003; y WebWorks ePublisher v9.0.x a la v9.3, 2008.1 a la 2008.4, y 2009.x anterior a 2009.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de (1) wwhelp_entry.html alcanzable a través d index.html y wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, o (5) el componente window.opener en wwhelp/wwhimpl/common/html/bookmark.htm, relacionado con (a) parámetros desconocidos y (b) mensajes usados en los enlaces de "topic" para la funcionalidad de marcadores.

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-10-20 CVE Reserved
2009-12-15 CVE Published
2023-03-07 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (14)

URL	Tag	Source
http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html	Mailing List
http://secunia.com/advisories/38749	Third Party Advisory
http://secunia.com/advisories/38842	Third Party Advisory
http://securitytracker.com/id?1023683	Vdb Entry
http://www.osvdb.org/62738	Vdb Entry
http://www.osvdb.org/62739	Vdb Entry
http://www.osvdb.org/62740	Vdb Entry
http://www.osvdb.org/62741	Vdb Entry
http://www.osvdb.org/62742	Vdb Entry
http://www.securityfocus.com/archive/1/509883/100/0/threaded	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944	Signature

URL	Date	SRC

URL	Date	SRC
http://www.securityfocus.com/bid/37346	2018-10-10
http://www.webworks.com/Security/2009-0001	2018-10-10

URL	Date	SRC
http://lists.vmware.com/pipermail/security-announce/2009/000073.html	2018-10-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vmware Search vendor "Vmware"	Vcenter Search vendor "Vmware" for product "Vcenter"	4.0 Search vendor "Vmware" for product "Vcenter" and version "4.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				9.0 Search vendor "Webworks" for product "Epublisher" and version "9.0"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				9.1 Search vendor "Webworks" for product "Epublisher" and version "9.1"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				9.2 Search vendor "Webworks" for product "Epublisher" and version "9.2"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				9.3 Search vendor "Webworks" for product "Epublisher" and version "9.3"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				2008.1 Search vendor "Webworks" for product "Epublisher" and version "2008.1"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				2008.2 Search vendor "Webworks" for product "Epublisher" and version "2008.2"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				2008.3 Search vendor "Webworks" for product "Epublisher" and version "2008.3"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				2008.4 Search vendor "Webworks" for product "Epublisher" and version "2008.4"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				2009.1 Search vendor "Webworks" for product "Epublisher" and version "2009.1"		-		Affected
Webworks Search vendor "Webworks"		Epublisher Search vendor "Webworks" for product "Epublisher"				2009.2 Search vendor "Webworks" for product "Epublisher" and version "2009.2"		-		Affected
Webworks Search vendor "Webworks"		Help Search vendor "Webworks" for product "Help"				2.0 Search vendor "Webworks" for product "Help" and version "2.0"		-		Affected
Webworks Search vendor "Webworks"		Help Search vendor "Webworks" for product "Help"				3.0 Search vendor "Webworks" for product "Help" and version "3.0"		-		Affected
Webworks Search vendor "Webworks"		Help Search vendor "Webworks" for product "Help"				4.0 Search vendor "Webworks" for product "Help" and version "4.0"		-		Affected
Webworks Search vendor "Webworks"		Help Search vendor "Webworks" for product "Help"				5.0 Search vendor "Webworks" for product "Help" and version "5.0"		-		Affected
Webworks Search vendor "Webworks"		Publisher Search vendor "Webworks" for product "Publisher"				6.0 Search vendor "Webworks" for product "Publisher" and version "6.0"		-		Affected
Webworks Search vendor "Webworks"		Publisher Search vendor "Webworks" for product "Publisher"				7.0 Search vendor "Webworks" for product "Publisher" and version "7.0"		-		Affected
Webworks Search vendor "Webworks"		Publisher Search vendor "Webworks" for product "Publisher"				8.0 Search vendor "Webworks" for product "Publisher" and version "8.0"		-		Affected
Webworks Search vendor "Webworks"		Publisher Search vendor "Webworks" for product "Publisher"				2003 Search vendor "Webworks" for product "Publisher" and version "2003"		-		Affected
Vmware Search vendor "Vmware"		Esx Server Search vendor "Vmware" for product "Esx Server"				4.0 Search vendor "Vmware" for product "Esx Server" and version "4.0"		-		Affected
Vmware Search vendor "Vmware"		Lab Manager Search vendor "Vmware" for product "Lab Manager"				2.0 Search vendor "Vmware" for product "Lab Manager" and version "2.0"		-		Affected
Vmware Search vendor "Vmware"		Server Search vendor "Vmware" for product "Server"				2.0.2 Search vendor "Vmware" for product "Server" and version "2.0.2"		-		Affected
Vmware Search vendor "Vmware"		Stage Manager Search vendor "Vmware" for product "Stage Manager"				<= 4.0 Search vendor "Vmware" for product "Stage Manager" and version " <= 4.0"		-		Affected
Vmware Search vendor "Vmware"		Stage Manager Search vendor "Vmware" for product "Stage Manager"				1.0 Search vendor "Vmware" for product "Stage Manager" and version "1.0"		-		Affected
Vmware Search vendor "Vmware"		Vcenter Lab Manager Search vendor "Vmware" for product "Vcenter Lab Manager"				3.0 Search vendor "Vmware" for product "Vcenter Lab Manager" and version "3.0"		-		Affected
Vmware Search vendor "Vmware"		Vcenter Lab Manager Search vendor "Vmware" for product "Vcenter Lab Manager"				3.0.1 Search vendor "Vmware" for product "Vcenter Lab Manager" and version "3.0.1"		-		Affected
Vmware Search vendor "Vmware"		Vcenter Lab Manager Search vendor "Vmware" for product "Vcenter Lab Manager"				3.0.2 Search vendor "Vmware" for product "Vcenter Lab Manager" and version "3.0.2"		-		Affected
Vmware Search vendor "Vmware"		Vcenter Lab Manager Search vendor "Vmware" for product "Vcenter Lab Manager"				4.0 Search vendor "Vmware" for product "Vcenter Lab Manager" and version "4.0"		-		Affected
Vmware Search vendor "Vmware"		Vcenter Stage Manager Search vendor "Vmware" for product "Vcenter Stage Manager"				1.0.1 Search vendor "Vmware" for product "Vcenter Stage Manager" and version "1.0.1"		-		Affected