CVE-2009-0307

Name of the Vulnerable Software and Affected Versions BlackBerry Enterprise Server versions prior to 4.1.6 MR5

Description A cross-site scripting issue exists in the Customize Statistics Page of the MDS Connection Service, allowing remote attackers to inject arbitrary web script or HTML via several parameters, including customDate, interval, lastCustomInterval, lastIntervalLength, nextCustomInterval, nextIntervalLength, action, delIntervalIndex, addStatIndex, delStatIndex, and referenceTime, in the "admin/statistics/ConfigureStatistics" endpoint.

Recommendations For versions prior to 4.1.6 MR5, update to version 4.1.6 MR5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/statistics/ConfigureStatistics" endpoint to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected endpoint until the issue is resolved.