CVE-2009-1380 : Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in Red Hat JB

Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 allows remote attackers to inject arbitrary web script or HTML via the filter parameter, related to the key property and the position of quote and colon characters.

Published 2009-12-15 18:30:00

Updated 2023-02-13 02:20:10

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2009-1380

Redhat » Jboss Enterprise Application Platform » Version: 4.2 Update Cp01
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp01:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2 Update Cp02
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp02:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3.0 Update Cp03
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp03:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3.0 Update Cp04
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp04:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp02
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp02:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp01
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp01:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3.0 Update Cp01
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp01:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3.0 Update Cp02
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp02:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp03
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp03:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp04
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp04:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp05
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp05:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp06
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp06:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2 Update Cp03
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp03:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3 Update Cp01
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3:cp01:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp07
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp07:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2009-1380

EPSS FAQ

0.60%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 68 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-1380

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2009-1380

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-1380

https://jira.jboss.org/jira/browse/JBPAPP-1983
https://rhn.redhat.com/errata/RHSA-2009-1650.html

Vendor Advisory

CVEs referencing this url
https://rhn.redhat.com/errata/RHSA-2009-1637.html

CVEs referencing this url
https://rhn.redhat.com/errata/RHSA-2009-1649.html

RHSA-2009:1649 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/37276

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=511224

Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/54698
http://securitytracker.com/id?1023315

CVEs referencing this url
https://rhn.redhat.com/errata/RHSA-2009-1636.html

Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2009-1380

Products affected by CVE-2009-1380

Exploit prediction scoring system (EPSS) score for CVE-2009-1380

CVSS scores for CVE-2009-1380

CWE ids for CVE-2009-1380

References for CVE-2009-1380