JBoss Application Server Administrative Console Cross-Site Scripting Vulnerability

Bugtraq ID:	50885
Class:	Input Validation Error
CVE:	CVE-2011-3606
Remote:	Yes
Local:	No
Published:	Dec 02 2011 12:00AM
Updated:	Dec 02 2011 12:00AM
Credit:	David Black
Vulnerable:	Red Hat JBoss Application Server 7.0
Not Vulnerable:

JBoss Application Server Administrative Console Cross-Site Scripting Vulnerability

JBoss Application Server is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

JBoss Application Server 7.0 is vulnerable; other versions may also be affected.

JBoss Application Server Administrative Console Cross-Site Scripting Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim to follow a malicious URI.

JBoss Application Server Administrative Console Cross-Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for more details.

JBoss Application Server Administrative Console Cross-Site Scripting Vulnerability

References:

• (CVE-2011-3606) CVE-2011-3606 JBoss AS: DOM based XSS in the administration cons (Red Hat)
  
• JBoss Community Homepage (JBoss Group)