CVE-2009-2897

Name of the Vulnerable Software and Affected Versions: SpringSource Hyperic HQ versions 3.2.x through 3.2.6, SpringSource Hyperic HQ versions 4.0.x through 4.0.3, SpringSource Hyperic HQ versions 4.1.x through 4.1.2, SpringSource Hyperic HQ version 4.2-beta1, Application Management Suite (AMS) version 2.0.0.SR3, tc Server version 6.0.20.B

Description: The issue allows remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters. This can be demonstrated by an uncaught java.lang.NumberFormatException exception resulting from invalid values for the typeId parameter to "mastheadAttach.do", the eid parameter to "Resource.do", and the u parameter in a view action to "admin/user/UserAdmin.do".

Recommendations: For SpringSource Hyperic HQ versions 3.2.x through 3.2.6, update to version 3.2.6.1 or later. For SpringSource Hyperic HQ versions 4.0.x through 4.0.3, update to version 4.0.3.1 or later. For SpringSource Hyperic HQ versions 4.1.x through 4.1.2, update to version 4.1.2.1 or later. For SpringSource Hyperic HQ version 4.2-beta1, update to a newer version that contains a fix for this issue. For Application Management Suite (AMS) version 2.0.0.SR3, update to a newer version that contains a fix for this issue. For tc Server version 6.0.20.B, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "mastheadAttach.do", "Resource.do", and "admin/user/UserAdmin.do" endpoints until a patch is available. Avoid using the typeId, eid, and u parameters in these endpoints until the issue is resolved.