CVE-2009-1218

Name of the Vulnerable Software and Affected Versions Sun Java System Calendar Server versions 6.0 through 6.3-7.01

Description The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the fmt-out parameter to "login.wcap" or the date parameter to "command.shtml".

Recommendations For Sun Java System Calendar Server versions 6.0 through 6.3-7.01, consider restricting access to the "login.wcap" and "command.shtml" endpoints as a temporary workaround until a patch is available. Avoid using the fmt-out and date parameters in the affected API endpoints until the issue is resolved.