Vulnerability identifier: #VU35038

Vulnerability risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2011-3606

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JBoss Application Server
Server applications / Application servers

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.

Mitigation
Install update from vendor's website.

Vulnerable software versions

JBoss Application Server: 7.0.0 - 7.0.2

---

External links
http://access.redhat.com/security/cve/cve-2011-3606
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
http://security-tracker.debian.org/tracker/CVE-2011-3606

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.