Vulnerability identifier: #VU35038
Vulnerability risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
JBoss Application Server
Server applications /
Application servers
Vendor: Red Hat Inc.
Description
The vulnerability allows a remote authenticated user to read and manipulate data.
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
Mitigation
Install update from vendor's website.
Vulnerable software versions
JBoss Application Server: 7.0.0 - 7.0.2
External links
http://access.redhat.com/security/cve/cve-2011-3606
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
http://security-tracker.debian.org/tracker/CVE-2011-3606
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.