CVE-2010-1227

Name of the Vulnerable Software and Affected Versions Sun Java System Communications Express versions 6.2 through 6.3

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the subject field of a message. This can be demonstrated by a subject containing an IMG element with a SRC attribute that performs a cross-site request forgery (CSRF) attack involving the cmd and argv parameters to cmd.msc.

Recommendations For Sun Java System Communications Express versions 6.2 through 6.3, consider restricting the use of the subject field in messages to minimize the risk of exploitation. As a temporary workaround, avoid using the subject field to inject arbitrary web script or HTML until a patch is available.