Overview
A cross-site scripting vulnerability in Sun ONE and Sun Java System Applications may allow an attacker to read or modify data in web pages and cookies.
Description
From Sun Alert Notification 102164: A Cross Site Scripting (XSS) vulnerability in various releases of the Sun Java System Web Server and Sun Java System Application Server may allow an unprivileged local or remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server. Sun states that the following products can be affected:
|
Impact
By convincing a user to visit a web page, an attacker could read or modify the contents of web pages on a vulnerable web server. The attacker could read sensitive information, steal cookies, or modify the contents of a web page. |
Solution
Apply an update |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A |
References
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102164-1
- http://jvn.jp/jp/JVN%2303D5EAA8/index.html
- http://www.ipa.go.jp/security/vuln/documents/2006/JVN_03D5EAA8_SJSWebServer.html
- http://www.cert.org/archive/pdf/cross_site_scripting.pdf
- http://secunia.com/advisories/20147/
- http://www.auscert.org.au/6341
Acknowledgements
Thanks to JPCERT/CC and IPA for reporting this vulnerability.
This document was written by Katie Washok and Art Manion.
Other Information
| CVE IDs: | CVE-2006-2501 |
| Severity Metric: | 14.50 |
| Date Public: | 2005-03-08 |
| Date First Published: | 2006-08-10 |
| Date Last Updated: | 2006-08-15 17:46 UTC |
| Document Revision: | 32 |