{"api_version":"1","generated_at":"2026-04-22T23:20:41+00:00","cve":"CVE-2009-0038","urls":{"html":"https://cve.report/CVE-2009-0038","api":"https://cve.report/api/cve/CVE-2009-0038.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2009-0038","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2009-0038"},"summary":{"title":"CVE-2009-0038","description":"Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2009-04-17 14:30:00","updated_at":"2018-10-11 20:59:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"http://dsecrg.com/pages/vul/show.php?id=119","name":"http://dsecrg.com/pages/vul/show.php?id=119","refsource":"MISC","tags":["Exploit"],"title":"Digital Security Research Group - [DSECRG-09-019] Apache Geronimo -  Multiple XSS vulnerabilities","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214","name":"http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Apache Geronimo : 2.1.x Security Report","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/34715","name":"34715","refsource":"SECUNIA","tags":[],"title":"Apache Geronimo Multiple Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://issues.apache.org/jira/browse/GERONIMO-4597","name":"http://issues.apache.org/jira/browse/GERONIMO-4597","refsource":"CONFIRM","tags":["Patch"],"title":"[GERONIMO-4597] Validate Web Admin Console input - address admin console security vulnerabilities - ASF JIRA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/502734/100/0/threaded","name":"20090416 [DSECRG-09-019] Apache Geronimo - XSS vulnerabilities.txt","refsource":"BUGTRAQ","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.vupen.com/english/advisories/2009/1089","name":"ADV-2009-1089","refsource":"VUPEN","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/34562","name":"34562","refsource":"BID","tags":["Exploit"],"title":"504 Gateway Time-out","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2009-0038","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-0038","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2009","cve_id":"38","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"38","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"38","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"38","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"38","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"38","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"38","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"38","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2009-0038","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214","refsource":"CONFIRM","url":"http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214"},{"name":"ADV-2009-1089","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2009/1089"},{"name":"34562","refsource":"BID","url":"http://www.securityfocus.com/bid/34562"},{"name":"20090416 [DSECRG-09-019] Apache Geronimo - XSS vulnerabilities.txt","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/502734/100/0/threaded"},{"name":"http://issues.apache.org/jira/browse/GERONIMO-4597","refsource":"CONFIRM","url":"http://issues.apache.org/jira/browse/GERONIMO-4597"},{"name":"34715","refsource":"SECUNIA","url":"http://secunia.com/advisories/34715"},{"name":"http://dsecrg.com/pages/vul/show.php?id=119","refsource":"MISC","url":"http://dsecrg.com/pages/vul/show.php?id=119"}]}},"nvd":{"publishedDate":"2009-04-17 14:30:00","lastModifiedDate":"2018-10-11 20:59:00","problem_types":["CWE-79"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:2.1.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:2.1.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:2.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:2.1.3:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2009","CveId":"38","Ordinal":"35557","Title":"CVE-2009-0038","CVE":"CVE-2009-0038","Year":"2009"},"notes":[{"CveYear":"2009","CveId":"38","Ordinal":"1","NoteData":"Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.","Type":"Description","Title":null},{"CveYear":"2009","CveId":"38","Ordinal":"2","NoteData":"2009-04-17","Type":"Other","Title":"Published"},{"CveYear":"2009","CveId":"38","Ordinal":"3","NoteData":"2018-10-11","Type":"Other","Title":"Modified"}]}}}