CVE-2008-0239

Name of the Vulnerable Software and Affected Versions Sun Java System Identity Manager versions 6.0 SP1 through 7.1

Description The issue allows remote attackers to inject arbitrary HTML or web script via specific parameters to certain API endpoints, including the cntry or lang parameters to "/idm/login.jsp", the resultsForm parameter to "/idm/account/findForSelect.jsp", or the activeControl parameter to "/idm/user/main.jsp".

Recommendations For Sun Java System Identity Manager versions 6.0 SP1 through 7.1, consider disabling access to the vulnerable API endpoints "/idm/login.jsp", "/idm/account/findForSelect.jsp", and "/idm/user/main.jsp" until a patch is available. Restrict the use of parameters cntry, lang, resultsForm, and activeControl in these endpoints to minimize the risk of exploitation.