4.3
CVE-2009-2897
- EPSS 0.67%
- Published 13.10.2009 10:30:00
- Last modified 09.04.2025 00:30:58
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/GenericError.jsp in the generic exception handler in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x before 4.0.3.1, 4.1.x before 4.1.2.1, and 4.2-beta1; Application Management Suite (AMS) 2.0.0.SR3; and tc Server 6.0.20.B allow remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters, as demonstrated by an uncaught java.lang.NumberFormatException exception resulting from (1) the typeId parameter to mastheadAttach.do, (2) the eid parameter to Resource.do, and (3) the u parameter in a view action to admin/user/UserAdmin.do. NOTE: some of these details are obtained from third party information.
Data is provided by the National Vulnerability Database (NVD)
Springsource ≫ Application Management Suite Version2.0.0 Updatesr3
Springsource ≫ Hyperic Hq Version3.2 Updatebeta_1
Springsource ≫ Hyperic Hq Version3.2.0
Springsource ≫ Hyperic Hq Version3.2.1
Springsource ≫ Hyperic Hq Version3.2.2
Springsource ≫ Hyperic Hq Version3.2.3
Springsource ≫ Hyperic Hq Version3.2.4
Springsource ≫ Hyperic Hq Version3.2.5
Springsource ≫ Hyperic Hq Version3.2.6
Springsource ≫ Hyperic Hq Version4.0.0
Springsource ≫ Hyperic Hq Version4.0.1
Springsource ≫ Hyperic Hq Version4.0.2
Springsource ≫ Hyperic Hq Version4.0.3
Springsource ≫ Hyperic Hq Version4.1.0
Springsource ≫ Hyperic Hq Version4.1.1
Springsource ≫ Hyperic Hq Version4.1.2
Springsource ≫ Hyperic Hq Version4.2 Updatebeta_1
Springsource ≫ Tc Server Version6.0.20 Updateb
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.67% | 0.688 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.