Oracle GlassFish Server Cross-Site Scripting Vulnerability Network Vulnerability

Summary

The host is running GlassFish Server and is prone to cross-site scripting vulnerability.

Impact

Successful exploitation will allow attackers to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Impact Level: Application

Solution

Apply the security updates. http://www.oracle.com/technetwork/topics/security/whatsnew/index.html

Insight

The flaw is due to error in the handling of log viewer, which fails to securely output encode logged values. An unauthenticated attacker can trigger the application to log a malicious string by entering the values into the username field.

Affected

Oracle GlassFish Server version 2.1.1

References

http://packetstormsecurity.org/files/view/103167/SOS-11-009.txt
http://www.exploit-db.com/exploits/17551/
http://www.securityfocus.com/archive/1/518923

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-2260
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

Related Vulnerabilities

Lighttpd Trailing Slash Information Disclosure Vulnerability
Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability
AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
Ecava IntegraXor Directory Traversal Vulnerability
IBM WebSphere Application Server Cross-Site Request Forgery Vulnerability

Take action and discover your vulnerabilities