CVE-2009-2405

Name of the Vulnerable Software and Affected Versions Red Hat JBoss Enterprise Application Platform versions 4.2.0 through 4.2.0.CP07, 4.2.2GA and earlier, 4.3 versions prior to 4.3.0.CP07, 5.1.0GA and earlier

Description The issue affects the Web Console in the Application Server, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters in createSnapshot.jsp and createThresholdMonitor.jsp, including monitorName, objectName, attribute, period, threshold, and enabled.

Recommendations For versions 4.2.0 through 4.2.0.CP07, update to 4.2.0.CP08 or later. For 4.2.2GA and earlier, update to a version later than 4.2.2GA. For 4.3 versions prior to 4.3.0.CP07, update to 4.3.0.CP07 or later. For 5.1.0GA and earlier, update to a version later than 5.1.0GA. As a temporary workaround, consider restricting access to the createSnapshot.jsp and createThresholdMonitor.jsp pages until a patch is applied.