CVE-2009-1088

Name of the Vulnerable Software and Affected Versions Hannon Hill Cascade Server version 5.7 and other versions

Description The issue allows remote authenticated users to execute arbitrary programs or Java code. This is achieved by using a crafted XSLT stylesheet that includes extension elements and extension functions, which trigger code execution by Xalan-Java. An example of exploitation is demonstrated using xalan://java.lang.Runtime.

Recommendations For Hannon Hill Cascade Server version 5.7 and other affected versions, consider restricting access to XSLT stylesheets to prevent the execution of arbitrary code until a patch is available. As a temporary workaround, disabling the use of extension elements and extension functions in XSLT stylesheets may help minimize the risk of exploitation.