Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-2274

CVE-2009-2405 - Inputs passed to parameters in createSnapshot.jsp and createThresholdMonitor.jsp for the Web Console are not sanitized before being returned to the user

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 4.2.0.GA_CP07, 4.3.0.GA_CP05
    • Fix Version/s: 4.2.0.GA_CP08, 4.3.0.GA_CP07
    • Component/s: Consoles
    • Labels:
      None
    • Environment:

      JBPAPP_4_2_0_GA_CP r91213

    • Affects:
      Release Notes

      Description

      Inputs passed to the "monitorName", "objectName", "attribute", and "period" parameters in createSnapshot.jsp and to the "monitorName", "objectName", "attribute", "period", and "threshold" parameters in createThresholdMonitor.jsp are not sanitized before being returned to the user. This can be exploited to allow arbitrary HTML and script code to be executed in a user's browser.

      (See bz#510023: https://bugzilla.redhat.com/show_bug.cgi?id=510023 )

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                istudens Ivo Studensky
                Reporter:
                fjuma Farah Juma
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: