ISS X-Force Database: sun-jsf-routines-xss(41081): Sun Java Server Faces (JSF) routines cross-site scripting

Sun Java Server Faces (JSF) routines cross-site scripting

sun-jsf-routines-xss (41081)

Medium Risk

Description:

Sun Java Server Faces (JSF) is vulnerable to cross-site scripting, caused by the improper processing of data by the input handling routines. A remote or local attacker could exploit this vulnerability to inject or execute arbitrary code with the privileges of the victim using the JSF application.

Platforms Affected:

RedHat, JBoss Enterprise Application Platform 4.2.0 EL4
RedHat, JBoss Enterprise Application Platform 4.2.0 EL5
RedHat, JBoss Enterprise Application Platform 4.3.0 EL5
RedHat, JBoss Enterprise Application Platform 4.3.0 EL4
Sun, JSF 1.2

Remedy:

Refer to Sun Alert ID: 233561 for patch, upgrade or suggested workaround information. See References.

Consequences:

Gain Access

References:

Sun Alert ID: 233561, Cross Site Scripting (XSS) Vulnerability in Sun Java Server Faces (JSF) Input Handling Routines May Lead to Elevation of Privileges at http://sunsolve.sun.com/search/document.do?assetkey=1-66-233561-1.
ASA-2008-106: Cross Site Scripting (XSS) Vulnerability in Sun Java Server Faces (JSF) Input Handling Routines May Lead to Elevation of Privileges (Sun 233561)
BID-28192: Sun Java Server Faces Cross-Site Scripting Vulnerability
CVE-2008-1285: Cross-site scripting (XSS) vulnerability in Sun Java Server Faces (JSF) 1.2 before 1.2_08 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
FrSIRT/ADV-2008-0808: Sun Java Server Faces Client-Side Cross Site Scripting Vulnerability
RHSA-2008-0825: Moderate: JBoss Enterprise Application Platform 4.2.0.CP03 security update
RHSA-2008-0826: Moderate: JBoss Enterprise Application Platform 4.3.0.CP01 security update
RHSA-2008-0827: Moderate: JBoss Enterprise Application Platform 4.2.0.CP03 security update
RHSA-2008-0828: Moderate: JBoss Enterprise Application Platform 4.3.0CP01 security update
SA29327: Sun Java Server Faces Input Handling Cross-Site Scripting
SECTRACK ID: 1020628: JBoss Input Validation Hole in JavaServer Faces Permits Cross-Site Scripting Attacks and Access Control Bug in Status Servlet Lets Remote Users Obtain Information

Reported:

Feb 27, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page