CVE-2009-1554

Name of the Vulnerable Software and Affected Versions: Sun Woodstock version 4.2

Description: A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via a UTF-7 string in the PATH INFO, which is displayed on the 404 error page. This can be demonstrated by the PATH INFO to theme/META-INF.

Recommendations: For Sun Woodstock version 4.2, update the ThemeServlet.java to properly handle UTF-7 strings in the PATH INFO to prevent XSS attacks. As a temporary workaround, consider restricting access to the 404 error page or disabling the display of user-inputted data on this page until a patch is available.