Oracle GlassFish Server Multiple Cross Site Scripting and HTML Injection Vulnerabilities
BID:53136
Info
Oracle GlassFish Server Multiple Cross Site Scripting and HTML Injection Vulnerabilities
| Bugtraq ID: | 53136 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-0551 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 18 2012 12:00AM |
| Updated: | Aug 02 2017 06:09PM |
| Credit: | Roberto Suggi Liverani |
| Vulnerable: |
Xerox FreeFlow Print Server (FFPS) 73.C0.41 Xerox FreeFlow Print Server (FFPS) 73.B3.61 VMWare ESX 4.0 VMWare ESX 3.5 SuSE SUSE Linux Enterprise Server for VMware 11 SP2 SuSE SUSE Linux Enterprise Server 11 SP2 SuSE SUSE Linux Enterprise Java 11 SP2 SuSE Linux Enterprise Software Development Kit 11 SP2 Sun JRE (Windows Production Release) 1.6 _17 Sun JRE (Windows Production Release) 1.6 _13 Sun JRE (Windows Production Release) 1.6 _12 Sun JRE (Windows Production Release) 1.6 _10 Sun JRE (Windows Production Release) 1.6 _07 Sun JRE (Windows Production Release) 1.6 _06 Sun JRE (Windows Production Release) 1.6 _05 Sun JRE (Windows Production Release) 1.6 _04 Sun JRE (Windows Production Release) 1.6 Sun JRE (Windows Production Release) 1.7 Sun JRE (Windows Production Release) 1.6.0_31 Sun JRE (Windows Production Release) 1.6.0_21 Sun JRE (Windows Production Release) 1.6.0_20 Sun JRE (Windows Production Release) 1.6.0_2 Sun JRE (Windows Production Release) 1.6.0_19 Sun JRE (Windows Production Release) 1.6.0_18 Sun JRE (Windows Production Release) 1.6.0_15 Sun JRE (Windows Production Release) 1.6.0_14 Sun JRE (Windows Production Release) 1.6.0_11 Sun JRE (Windows Production Release) 1.6.0_03 Sun JRE (Windows Production Release) 1.6.0_02 Sun JRE (Windows Production Release) 1.6.0_01 Sun JRE (Solaris Production Release) 1.6 _17 Sun JRE (Solaris Production Release) 1.6 _13 Sun JRE (Solaris Production Release) 1.6 _12 Sun JRE (Solaris Production Release) 1.6 _10 Sun JRE (Solaris Production Release) 1.6 _07 Sun JRE (Solaris Production Release) 1.6 _06 Sun JRE (Solaris Production Release) 1.6 _05 Sun JRE (Solaris Production Release) 1.6 _04 Sun JRE (Solaris Production Release) 1.6 Sun JRE (Solaris Production Release) 1.7 Sun JRE (Solaris Production Release) 1.6.0_31 Sun JRE (Solaris Production Release) 1.6.0_21 Sun JRE (Solaris Production Release) 1.6.0_2 Sun JRE (Solaris Production Release) 1.6.0_19 Sun JRE (Solaris Production Release) 1.6.0_18 Sun JRE (Solaris Production Release) 1.6.0_15 Sun JRE (Solaris Production Release) 1.6.0_14 Sun JRE (Solaris Production Release) 1.6.0_11 Sun JRE (Solaris Production Release) 1.6.0_03 Sun JRE (Solaris Production Release) 1.6.0_02 Sun JRE (Solaris Production Release) 1.6.0_01 Sun JRE (Linux Production Release) 1.6 _17 Sun JRE (Linux Production Release) 1.6 _13 Sun JRE (Linux Production Release) 1.6 _12 Sun JRE (Linux Production Release) 1.6 _10 Sun JRE (Linux Production Release) 1.6 _07 Sun JRE (Linux Production Release) 1.6 _06 Sun JRE (Linux Production Release) 1.6 _05 Sun JRE (Linux Production Release) 1.6 _04 Sun JRE (Linux Production Release) 1.6 Sun JRE (Linux Production Release) 1.7 Sun JRE (Linux Production Release) 1.6.0_31 Sun JRE (Linux Production Release) 1.6.0_21 Sun JRE (Linux Production Release) 1.6.0_20 Sun JRE (Linux Production Release) 1.6.0_19 Sun JRE (Linux Production Release) 1.6.0_18 Sun JRE (Linux Production Release) 1.6.0_15 Sun JRE (Linux Production Release) 1.6.0_14 Sun JRE (Linux Production Release) 1.6.0_11 Sun JRE (Linux Production Release) 1.6.0_03 Sun JRE (Linux Production Release) 1.6.0_02 Sun JRE (Linux Production Release) 1.6.0_01 Sun JDK (Windows Production Release) 1.6 _17 Sun JDK (Windows Production Release) 1.6 _14 Sun JDK (Windows Production Release) 1.6 _13 Sun JDK (Windows Production Release) 1.6 _11 Sun JDK (Windows Production Release) 1.6 _10 Sun JDK (Windows Production Release) 1.6 _07 Sun JDK (Windows Production Release) 1.6 _06 Sun JDK (Windows Production Release) 1.6 _05 Sun JDK (Windows Production Release) 1.6 _04 Sun JDK (Windows Production Release) 1.6 Sun JDK (Windows Production Release) 1.6.0_21 Sun JDK (Windows Production Release) 1.6.0_20 Sun JDK (Windows Production Release) 1.6.0_19 Sun JDK (Windows Production Release) 1.6.0_18 Sun JDK (Windows Production Release) 1.6.0_15 Sun JDK (Windows Production Release) 1.6.0_03 Sun JDK (Windows Production Release) 1.6.0_02 Sun JDK (Windows Production Release) 1.6.0_01-b06 Sun JDK (Windows Production Release) 1.6.0_01 Sun JDK (Solaris Production Release) 1.6 _17 Sun JDK (Solaris Production Release) 1.6 _14 Sun JDK (Solaris Production Release) 1.6 _13 Sun JDK (Solaris Production Release) 1.6 _11 Sun JDK (Solaris Production Release) 1.6 _10 Sun JDK (Solaris Production Release) 1.6 _07 Sun JDK (Solaris Production Release) 1.6 _06 Sun JDK (Solaris Production Release) 1.6 _05 Sun JDK (Solaris Production Release) 1.6 _04 Sun JDK (Solaris Production Release) 1.6 _01-b06 Sun JDK (Solaris Production Release) 1.6 Sun JDK (Solaris Production Release) 1.6.0_21 Sun JDK (Solaris Production Release) 1.6.0_20 Sun JDK (Solaris Production Release) 1.6.0_19 Sun JDK (Solaris Production Release) 1.6.0_18 Sun JDK (Solaris Production Release) 1.6.0_15 Sun JDK (Solaris Production Release) 1.6.0_03 Sun JDK (Solaris Production Release) 1.6.0_02 Sun JDK (Solaris Production Release) 1.6.0_01 Sun JDK (Linux Production Release) 1.6 _17 Sun JDK (Linux Production Release) 1.6 _14 Sun JDK (Linux Production Release) 1.6 _13 Sun JDK (Linux Production Release) 1.6 _11 Sun JDK (Linux Production Release) 1.6 _10 Sun JDK (Linux Production Release) 1.6 _07 Sun JDK (Linux Production Release) 1.6 _06 Sun JDK (Linux Production Release) 1.6 _05 Sun JDK (Linux Production Release) 1.6 _04 Sun JDK (Linux Production Release) 1.6 _01-b06 Sun JDK (Linux Production Release) 1.6 _01 Sun JDK (Linux Production Release) 1.6 Sun JDK (Linux Production Release) 1.6.0_21 Sun JDK (Linux Production Release) 1.6.0_20 Sun JDK (Linux Production Release) 1.6.0_19 Sun JDK (Linux Production Release) 1.6.0_18 Sun JDK (Linux Production Release) 1.6.0_15 Sun JDK (Linux Production Release) 1.6.0_03 Sun JDK (Linux Production Release) 1.6.0_02 Sun JDK (Linux Production Release) 1.6.0 Update 7 Sun JDK (Linux Production Release) 1.6.0 Update 6 Sun JDK (Linux Production Release) 1.6.0 Update 5 Sun JDK (Linux Production Release) 1.6.0 Update 4 Sun JDK (Linux Production Release) 1.6.0 Update 3 Sun JDK (Linux Production Release) 1.6.0 Update 21 Sun JDK (Linux Production Release) 1.6.0 Update 20 Sun JDK (Linux Production Release) 1.6.0 Update 19 Sun JDK (Linux Production Release) 1.6.0 Update 18 Sun JDK (Linux Production Release) 1.6.0 Update 17 Sun JDK (Linux Production Release) 1.6.0 Update 16 Sun JDK (Linux Production Release) 1.6.0 Update 15 Sun JDK (Linux Production Release) 1.6.0 Update 14 Sun JDK (Linux Production Release) 1.6.0 Update 13 Sun JDK (Linux Production Release) 1.6.0 Update 12 Sun JDK (Linux Production Release) 1.6.0 Update 11 Sun JDK (Linux Production Release) 1.6.0 Update 10 Schneider-Electric Trio TView Software 3.27.0 Redhat Network Satellite (for RHEL 6) 5.5 Redhat Network Satellite (for RHEL 5) 5.5 Redhat Enterprise Linux Workstation Supplementary 6 Redhat Enterprise Linux Supplementary 5 server Redhat Enterprise Linux Server Supplementary 6 Redhat Enterprise Linux HPC Node Supplementary 6 Redhat Enterprise Linux Desktop Supplementary 6 Redhat Enterprise Linux Desktop Supplementary 5 client Oracle JRE (Windows Production Release) 1.7.0_4 Oracle JRE (Windows Production Release) 1.7.0_2 Oracle JRE (Windows Production Release) 1.6.0_32 Oracle JRE (Windows Production Release) 1.6.0_30 Oracle JRE (Windows Production Release) 1.6.0_28 Oracle JRE (Windows Production Release) 1.6.0_27 Oracle JRE (Windows Production Release) 1.6.0_26 Oracle JRE (Windows Production Release) 1.6.0_25 Oracle JRE (Windows Production Release) 1.6.0_24 Oracle JRE (Windows Production Release) 1.6.0_23 Oracle JRE (Windows Production Release) 1.6.0_22 Oracle JRE (Solaris Production Release) 1.7.0_4 Oracle JRE (Solaris Production Release) 1.7.0_2 Oracle JRE (Solaris Production Release) 1.6.0_32 Oracle JRE (Solaris Production Release) 1.6.0_30 Oracle JRE (Solaris Production Release) 1.6.0_28 Oracle JRE (Solaris Production Release) 1.6.0_27 Oracle JRE (Solaris Production Release) 1.6.0_26 Oracle JRE (Solaris Production Release) 1.6.0_25 Oracle JRE (Solaris Production Release) 1.6.0_24 Oracle JRE (Solaris Production Release) 1.6.0_23 Oracle JRE (Solaris Production Release) 1.6.0_22 Oracle JRE (Linux Production Release) 1.7.0_4 Oracle JRE (Linux Production Release) 1.7.0_2 Oracle JRE (Linux Production Release) 1.6.0_32 Oracle JRE (Linux Production Release) 1.6.0_30 Oracle JRE (Linux Production Release) 1.6.0_28 Oracle JRE (Linux Production Release) 1.6.0_27 Oracle JRE (Linux Production Release) 1.6.0_26 Oracle JRE (Linux Production Release) 1.6.0_25 Oracle JRE (Linux Production Release) 1.6.0_24 Oracle JRE (Linux Production Release) 1.6.0_23 Oracle JRE (Linux Production Release) 1.6.0_22 Oracle JDK (Windows Production Release) 1.7 Oracle JDK (Windows Production Release) 1.7.0_4 Oracle JDK (Windows Production Release) 1.7.0_2 Oracle JDK (Windows Production Release) 1.6.0_32 Oracle JDK (Windows Production Release) 1.6.0_30 Oracle JDK (Windows Production Release) 1.6.0_28 Oracle JDK (Windows Production Release) 1.6.0_27 Oracle JDK (Windows Production Release) 1.6.0_26 Oracle JDK (Windows Production Release) 1.6.0_25 Oracle JDK (Windows Production Release) 1.6.0_24 Oracle JDK (Windows Production Release) 1.6.0_23 Oracle JDK (Windows Production Release) 1.6.0_22 Oracle JDK (Solaris Production Release) 1.7 Oracle JDK (Solaris Production Release) 1.7.0_4 Oracle JDK (Solaris Production Release) 1.7.0_2 Oracle JDK (Solaris Production Release) 1.6.0_32 Oracle JDK (Solaris Production Release) 1.6.0_30 Oracle JDK (Solaris Production Release) 1.6.0_28 Oracle JDK (Solaris Production Release) 1.6.0_27 Oracle JDK (Solaris Production Release) 1.6.0_26 Oracle JDK (Solaris Production Release) 1.6.0_25 Oracle JDK (Solaris Production Release) 1.6.0_24 Oracle JDK (Solaris Production Release) 1.6.0_23 Oracle JDK (Solaris Production Release) 1.6.0_22 Oracle JDK (Linux Production Release) 1.7 Oracle JDK (Linux Production Release) 1.7.0_4 Oracle JDK (Linux Production Release) 1.7.0_2 Oracle JDK (Linux Production Release) 1.6.0_32 Oracle JDK (Linux Production Release) 1.6.0_30 Oracle JDK (Linux Production Release) 1.6.0_28 Oracle JDK (Linux Production Release) 1.6.0_27 Oracle JDK (Linux Production Release) 1.6.0_26 Oracle JDK (Linux Production Release) 1.6.0_25 Oracle JDK (Linux Production Release) 1.6.0_24 Oracle JDK (Linux Production Release) 1.6.0_23 Oracle JDK (Linux Production Release) 1.6.0_22 Oracle GlassFish Enterprise Server 3.1.1 IBM Tivoli Monitoring for Energy Management 6.3.2.1 IBM Rational Synergy 7.1.0.6 IBM Rational Method Composer 7.5.2 IBM Java SE 7 SR1 IBM Java SE 6 SR10 IBM Java SE 5.0 SR13 IBM Java SE 5.0 SR12-FP5 IBM Java SE 5.0 SR11 PF1 IBM Java SE 5.0 SR11 IBM Java SE 5.0 SR10 IBM Java SDK 7 SR1 IBM Java SDK 1.4.2.SR13-FP5 IBM Java SDK 1.4.2 SR13-FP9 IBM Java SDK 1.4.2 SR13-FP6 IBM Java SDK 1.4.2 SR13-FP2 IBM Java SDK 1.4.2 SR13-FP10 IBM Java SDK 1.4.2 SR13-FP1 IBM Java SDK 1.4.2 SR13 FP11 IBM DOORS Web Access 9.4 IBM DOORS Web Access 9.0 IBM DB2 Query Management Facility (QMF) 9.1.19 IBM DB2 Query Management Facility (QMF) 10.1.5 HP NonStop Server J6.0.14.01 HP NonStop Server J06.16 HP NonStop Server J06.15.01 HP NonStop Server J06.15 HP NonStop Server J06.14.02 HP NonStop Server J06.14 HP NonStop Server J06.13.01 HP NonStop Server J06.13 HP NonStop Server J06.12.00 HP NonStop Server J06.11.01 HP NonStop Server J06.11.00 HP NonStop Server J06.10.02 HP NonStop Server J06.10.01 HP NonStop Server J06.10.00 HP NonStop Server J06.09.04 HP NonStop Server J06.09.03 HP NonStop Server J06.09.02 HP NonStop Server J06.09.01 HP NonStop Server J06.09.00 HP NonStop Server J06.08.04 HP NonStop Server J06.08.03 HP NonStop Server J06.08.02 HP NonStop Server J06.08.01 HP NonStop Server J06.08.00 HP NonStop Server J06.07.02 HP NonStop Server J06.07.01 HP NonStop Server J06.07.00 HP NonStop Server J06.06.03 HP NonStop Server J06.06.02 HP NonStop Server J06.06.01 HP NonStop Server J06.06.00 HP NonStop Server J06.05.02 HP NonStop Server J06.05.01 HP NonStop Server J06.05.00 HP NonStop Server J06.04.02 HP NonStop Server J06.04.01 HP NonStop Server J06.04.00 HP NonStop Server H06.27 HP NonStop Server H06.26.01 HP NonStop Server H06.26 HP NonStop Server H06.25.01 HP NonStop Server H06.25 HP NonStop Server H06.24.01 HP NonStop Server H06.24 HP NonStop Server H06.23 HP NonStop Server H06.22.01 HP NonStop Server H06.22.00 HP NonStop Server H06.21.02 HP NonStop Server H06.21.01 HP NonStop Server H06.21.00 HP NonStop Server H06.20.03 HP NonStop Server H06.20.02 HP NonStop Server H06.20.01 HP NonStop Server H06.20.00 HP NonStop Server H06.19.03 HP NonStop Server H06.19.02 HP NonStop Server H06.19.01 HP NonStop Server H06.19.00 HP NonStop Server H06.18.02 HP NonStop Server H06.18.01 HP NonStop Server H06.18.00 HP NonStop Server H06.17.03 HP NonStop Server H06.17.02 HP NonStop Server H06.17.01 HP NonStop Server H06.17.00 HP NonStop Server H06.16.02 HP NonStop Server H06.16.01 HP NonStop Server H06.16.00 HP NonStop Server H06.15.02 HP NonStop Server H06.15.01 HP NonStop Server H06.15.00 HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 Attachmate Reflection X 2011 Attachmate Reflection Suite for X 2011 Attachmate Reflection for Secure IT Windows Server 0 Attachmate Reflection for Secure IT UNIX Server 0 Attachmate Reflection for Secure IT UNIX Client 0 Apple Mac OS X Server 10.7.4 Apple Mac OS X Server 10.6.8 Apple Mac OS X 10.7.4 Apple Mac OS X 10.6.8 |
| Not Vulnerable: |
Schneider-Electric Trio TView Software 3.29.0 IBM Rational Synergy 7.1.0.7 IBM Rational Method Composer 7.5.2.1 IBM Java SE 7 SR2 IBM Java SE 6.0.1 SR2-FP1 IBM Java SE 6 SR11 IBM Java SE 5.0 SR14 IBM Java SDK 7 SR2 IBM Java SDK 1.4.2 SR13 FP13 IBM DOORS Web Access 9.5 IBM DB2 Query Management Facility (QMF) 9.1.20 IBM DB2 Query Management Facility (QMF) 10.1.6 |
Discussion
Oracle GlassFish Server Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Oracle GlassFish Server is prone to multiple cross-site scripting and HTML-injection vulnerabilities that affect the administrative web interface.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
This vulnerability affects the following supported versions:
GlassFish Enterprise Server 3.1.1
Oracle GlassFish Server is prone to multiple cross-site scripting and HTML-injection vulnerabilities that affect the administrative web interface.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
This vulnerability affects the following supported versions:
GlassFish Enterprise Server 3.1.1
Exploit / POC
Oracle GlassFish Server Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Attackers can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI.
Exploit inputs and URIs are available; please see the references.
Attackers can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI.
Exploit inputs and URIs are available; please see the references.
Solution / Fix
Oracle GlassFish Server Multiple Cross Site Scripting and HTML Injection Vulnerabilities
Solution:
Vendor updates are available. Please see the references for more information.
Solution:
Vendor updates are available. Please see the references for more information.
References
Oracle GlassFish Server Multiple Cross Site Scripting and HTML Injection Vulnerabilities
References:
References:
- HPSBUX02805 SSRT100919 rev.1 - HP-UX Running Java, Remote Unauthorized Access, D (HP)
- Java Homepage (Sun)
- June 2012 Oracle vulnerabilities update to IBM Java in Rational DOORS Web Access (IBM)
- Oracle Critical Patch Updates (CPUs) and Synchronized Security Releases (SSRs) (IBM)
- Oracle GlassFish Server 3.1.1 Build 12 Cross Site Scripting (Security-Assessment.com)
- Schneider Electric Andover Continuum Agent 6.3.2.1-TIV-ITM_EM-SCH-IF0001 (IBM)
- Security Updates and Reflection PKI Services Manager (Attachmate)
- Xerox Security Bulletin XRX12-009 (Xerox)
- Advisory (ICSA-17-213-02) Schneider Electric Trio TView (CERT)
- HPSBNS02920 rev.1 - HP NonStop Servers Multiple Remote Vulnerabilities (HP)
- Oracle Critical Patch Update Advisory - April 2012 (Oracle)
- Oracle Critical Patch Updates (CPUs) and Synchronized Security Releases (SSRs) (IBM)
- Oracle Java SE Critical Patch Update Advisory - June 2012 (Oracle)
- Potential security vulnerabilities in DB2 QMF for Workstation and DB2 QMF for We (IBM)
- Rational Method Composer Security Vulnerability: Multiple security vulnerabiliti (IBM)
- Security Bulletin: Multiple Vulnerabilities in Rational Synergy (IBM)
- VMSA-2012-0013 (VMWare)