CVE-2009-1729

Name of the Vulnerable Software and Affected Versions: Sun Java System Communications Express versions 6.2 through 6.3

Description: The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the abperson displayName parameter to "uwc/abs/search.xml" in the Add Contact implementation in the Personal Address Book component or the temporaryCalendars parameter to "uwc/base/UWCMain".

Recommendations: For Sun Java System Communications Express versions 6.2 through 6.3, consider restricting access to the vulnerable parameters abperson displayName and temporaryCalendars to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.