CVE-2009-0038

Name of the Vulnerable Software and Affected Versions Apache Geronimo Application Server versions 2.1 through 2.1.3

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the web administration console. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via specific parameters: name, ip, username, or description to the "console/portal/Server/Monitoring" endpoint, or via the PATH INFO to the default URI under "console/portal/".

Recommendations For Apache Geronimo Application Server versions 2.1 through 2.1.3, consider restricting access to the web administration console until a fix is available. As a temporary workaround, avoid using the vulnerable parameters name, ip, username, or description in the "console/portal/Server/Monitoring" endpoint. Additionally, restrict the PATH INFO to the default URI under "console/portal/" to minimize the risk of exploitation.