CVE-2009-2268

Cross-site scripting (XSS) vulnerability in the Cross-Domain Controller (CDC) servlet in Sun Java System Access Manager 6 2005Q1, 7 2005Q4, and 7.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS v2.0 2.6 LOW

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/35651	Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1	Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-66-256568-1	Patch Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020343.1-1
http://secunia.com/advisories/35651	Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1	Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-66-256568-1	Patch Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020343.1-1

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sun:java_system_access_manager:6:::::::*
	cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1::linux:::::
	cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1::solaris_10_sparc:::::
	cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1::solaris_10_x86:::::
	cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1::solaris_8_sparc:::::
	cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1::solaris_8_x86:::::
	cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1::solaris_9_sparc:::::
	cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1::solaris_9_x86:::::
	cpe:2.3:a:sun:java_system_access_manager:7.0:::::::*
	cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4::hp-ux:::::
	cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4::linux:::::
	cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4::solaris10_x86:::::
	cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4::solaris9_x86:::::
	cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4::windows:::::
	cpe:2.3:a:sun:java_system_access_manager:7.1:::::::*
	cpe:2.3:a:sun:java_system_access_manager:7.1::linux:::::
	cpe:2.3:a:sun:java_system_access_manager:7.1::solaris_10_sparc:::::
	cpe:2.3:a:sun:java_system_access_manager:7.1::solaris_10_x86:::::
	cpe:2.3:a:sun:java_system_access_manager:7.1::solaris_8_sparc:::::
	cpe:2.3:a:sun:java_system_access_manager:7.1::solaris_8_x86:::::
	cpe:2.3:a:sun:java_system_access_manager:7.1::solaris_9_sparc:::::
	cpe:2.3:a:sun:java_system_access_manager:7.1::solaris_9_x86:::::
	cpe:2.3:a:sun:java_system_access_manager:7.1::windows:::::
	cpe:2.3:a:sun:java_system_access_manager:7_2005q4::solaris_10_sparc:::::
	cpe:2.3:a:sun:java_system_access_manager:7_2005q4::solaris_8_sparc:::::
	cpe:2.3:a:sun:java_system_access_manager:7_2005q4::solaris_9_sparc:::::

History

21 Nov 2024, 01:04

Type	Values Removed	Values Added
References	~~() http://secunia.com/advisories/35651 - Vendor Advisory~~	() http://secunia.com/advisories/35651 - Vendor Advisory
References	~~() http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1 - Patch~~	() http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1 - Patch
References	~~() http://sunsolve.sun.com/search/document.do?assetkey=1-66-256568-1 - Vendor Advisory, Patch~~	() http://sunsolve.sun.com/search/document.do?assetkey=1-66-256568-1 - Patch, Vendor Advisory
References	~~() http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020343.1-1 -~~	() http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020343.1-1 -

Information

Published : 2009-07-01 13:00

Updated : 2025-04-09 00:30

NVD link : CVE-2009-2268

Mitre link : CVE-2009-2268

CVE.ORG link : CVE-2009-2268

JSON object : View

Products Affected

sun

java_system_access_manager

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2009-2268", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2009-07-01T13:00:01.420", "references": [{"url": "http://secunia.com/advisories/35651", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-256568-1", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020343.1-1", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/35651", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-256568-1", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020343.1-1", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Cross-Domain Controller (CDC) servlet in Sun Java System Access Manager 6 2005Q1, 7 2005Q4, and 7.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en el Cross-Domain Controller (CDC) servlet en Sun Java System Access Manager v6 2005Q1, v7 2005Q4, y v7.1, permite a atacantes remotos ejecutar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de vectores no especificados."}], "lastModified": "2025-04-09T00:30:58.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sun:java_system_access_manager:6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51EDB8CC-FD50-468F-BF06-91F415E1532D"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1:*:linux:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FAE06D6-34FF-45CA-9CD9-841817E787FA"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1:*:solaris_10_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C45AE084-74CB-47C7-8103-EBDEE2C3A2F1"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1:*:solaris_10_x86:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97A8B7AC-8343-4CDB-8757-12648D0C5B91"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1:*:solaris_8_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84B5BE3F-27E7-4B3B-BD7B-A614DA625A36"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1:*:solaris_8_x86:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3BE405DA-2ACF-4935-99D9-2E8940FBA279"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1:*:solaris_9_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3566E0BB-A6B9-49A0-9B6C-918A1F11CE6C"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:6.0_2005q1:*:solaris_9_x86:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A666DA6-E83C-4B37-913E-3FAD7B9EE4F7"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D88350FE-285D-4144-B7DC-5E1F8579CC56"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:hp-ux:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2807FF5E-F638-4F08-B34C-4532C1BC9908"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:linux:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34B7F28D-CBA5-44F7-AE6E-5EEB0EAF63B4"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:solaris10_x86:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A0F58C0-642D-4FC2-94B6-35D3CA936DFB"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:solaris9_x86:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85E0C292-E453-4F14-915A-41AB7FBF21F8"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:windows:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7821A43-2549-4B75-A201-95A3AC58E8BF"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B5B089E-62AC-44E5-9462-DC439C7AA8A5"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:linux:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CCDA95C-0EFF-4CF4-8CC6-EF110F0DAE76"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28F24915-078C-4E4B-B173-671F0ABF9656"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_x86:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD06B92E-C23C-4648-A585-14FC54538FA2"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAABA44E-5FD1-4B71-A4DE-9DC671DD8223"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_x86:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4930E838-993A-4DA1-B504-4675EE20CF69"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A857F82-4146-48E9-8568-19393AC3856B"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_x86:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D28C8EF-7525-48A0-A13A-EA95479A3B35"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7.1:*:windows:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36C5F1CB-FEDE-4C19-B056-C846C86FDE8E"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B56B9BD3-2708-46C3-850D-865599F88BF9"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6391170-5831-4303-85E5-A51BB431E788"}, {"criteria": "cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_sparc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "745D8651-B97C-48A9-AE4F-603A34516919"}], "operator": "OR"}]}], "evaluatorImpact": "Per: http://secunia.com/advisories/35651\r\n\r\n\"NOTE: This only affects Sun Java System Access Manager if Cross-Domain Single Sign-On (CDSSO) functionality is enabled.\"", "sourceIdentifier": "cve@mitre.org"}

2.6 /10