Vulnerability Details : CVE-2011-3606
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2011-3606
- cpe:2.3:a:redhat:jboss_application_server:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_application_server:7.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_application_server:7.0.0:cr1:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_application_server:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_application_server:7.0.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-3606
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-3606
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2011-3606
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-3606
-
https://security-tracker.debian.org/tracker/CVE-2011-3606
CVE-2011-3606Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
742984 – (CVE-2011-3606) CVE-2011-3606 JBoss AS: DOM based XSS in the administration consoleIssue Tracking;Third Party Advisory
-
https://access.redhat.com/security/cve/cve-2011-3606
CVE-2011-3606- Red Hat Customer PortalThird Party Advisory
Jump to