Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/GenericError.jsp in the generic exception handler in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x before 4.0.3.1, 4.1.x before 4.1.2.1, and 4.2-beta1; Application Management Suite (AMS) 2.0.0.SR3; and tc Server 6.0.20.B allow remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters, as demonstrated by an uncaught java.lang.NumberFormatException exception resulting from (1) the typeId parameter to mastheadAttach.do, (2) the eid parameter to Resource.do, and (3) the u parameter in a view action to admin/user/UserAdmin.do. NOTE: some of these details are obtained from third party information.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Springsource | Application Management Suite | 2.0.0 |
| Springsource | Hyperic Hq | 3.2 |
| Springsource | Tc Server | 6.0.20 |
Related Weaknesses (CWE)
References
- http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=advisoryExploitPatch
- http://forums.hyperic.com/jiveforums/thread.jspa?messageID=22156嚌
- http://jira.hyperic.com/browse/HHQ-2655Exploit
- http://secunia.com/advisories/36935Vendor Advisory
- http://www.coresecurity.com/content/hyperic-hq-vulnerabilitiesExploitPatch
- http://www.osvdb.org/58608
- http://www.osvdb.org/58609
- http://www.osvdb.org/58610
- http://www.securityfocus.com/archive/1/506935/100/0/threaded
- http://www.securityfocus.com/archive/1/506936/100/0/threaded
- http://www.springsource.com/security/hyperic-hqPatchVendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53658
- http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=advisoryExploitPatch
- http://forums.hyperic.com/jiveforums/thread.jspa?messageID=22156嚌
- http://jira.hyperic.com/browse/HHQ-2655Exploit
FAQ
What is CVE-2009-2897?
CVE-2009-2897 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/GenericError.jsp in the generic exception handler in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x befor...
How severe is CVE-2009-2897?
CVE-2009-2897 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-2897?
Check the references section above for vendor advisories and patch information. Affected products include: Springsource Application Management Suite, Springsource Hyperic Hq, Springsource Tc Server.