CVE-2009-2898

Name of the Vulnerable Software and Affected Versions: SpringSource Hyperic HQ versions 3.2.x through 3.2.6.0 SpringSource Hyperic HQ versions 4.0.x through 4.0.3.0 SpringSource Hyperic HQ versions 4.1.x through 4.1.2.0 SpringSource Hyperic HQ version 4.2-beta1 Application Management Suite (AMS) version 2.0.0.SR3 tc Server version 6.0.20.B

Description: The issue is related to a cross-site scripting (XSS) vulnerability in the Alerts list feature of the web interface. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the Description field.

Recommendations: For SpringSource Hyperic HQ versions 3.2.x through 3.2.6.0, update to version 3.2.6.1 or later. For SpringSource Hyperic HQ versions 4.0.x through 4.0.3.0, update to version 4.0.3.1 or later. For SpringSource Hyperic HQ versions 4.1.x through 4.1.2.0, update to version 4.1.2.1 or later. For SpringSource Hyperic HQ version 4.2-beta1, update to a newer version that includes the fix. For Application Management Suite (AMS) version 2.0.0.SR3, update to a newer version that includes the fix. For tc Server version 6.0.20.B, update to a newer version that includes the fix. As a temporary workaround, consider restricting access to the Alerts list feature in the web interface until a patch is available. Avoid using the Description field in the Alerts list feature until the issue is resolved.