ISS X-Force Database: sun-java-parameters-xss(27392): Sun ONE and Sun Java System Application Server unspecified parameters cross-site scripting

Sun ONE and Sun Java System Application Server unspecified parameters cross-site scripting

sun-java-parameters-xss (27392)

Medium Risk

Description:

Sun ONE Application Server and Sun Java System Application Server are vulnerable to cross-site scripting. A remote, unauthorized attacker could exploit this vulnerability using unspecified parameters to execute script in a victim's Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim's cookie-based authentication credentials, hijack a victim's session, or possibly compromise secure data on the server.

Consequences:

Gain Access

Remedy:

Apply the appropriate patch for your system, as listed in Sun Alert ID: 102479. See References.

References:

Sun Alert ID: 102479: Cross-Site Scripting Vulnerability in Sun ONE and Sun Java System Application Server.
BID-18635: Sun ONE and Sun Java System Application Server Unspecified Cross-Site Scripting Vulnerability
CVE-2006-3225: Cross-site scripting (XSS) vulnerability in Sun ONE Application Server 7 before Update 9, Java System Application Server 7 2004Q2 before Update 5, and Java System Application Server Enterprise Edition 8.1 2005 Q1 allows remote attackers to inject arbitrary HTML or web script via unknown vectors.
SA20835: Sun Java System Application Server Cross-Site Scripting
SECTRACK ID: 1016378: Sun ONE and Sun Java System Application Server Permit Cross-Site Scripting Attacks
VUPEN/ADV-2006-2508: Sun ONE and Java System Application Server Cross Site Scripting Vulnerability

Platforms Affected:

Sun Java System Application Server 7.0 2004Q2 Standard
Sun Java System Application Server 7.0 2004Q2 Enterprise
Sun ONE Application Server 7.0

Reported:

Jun 23, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page