Vulnerability Note VU#114956
Sun ONE and Sun Java System Applications vulnerable to cross-site scripting via default error page
A cross-site scripting vulnerability in Sun ONE and Sun Java System Applications may allow an attacker to read or modify data in web pages and cookies.
From Sun Alert Notification 102164:
A Cross Site Scripting (XSS) vulnerability in various releases of the Sun Java System Web Server and Sun Java System Application Server may allow an unprivileged local or remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.
Sun states that the following products can be affected:
By convincing a user to visit a web page, an attacker could read or modify the contents of web pages on a vulnerable web server. The attacker could read sensitive information, steal cookies, or modify the contents of a web page.
Apply an update
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Red Hat, Inc.||Affected||08 Mar 2005||10 Aug 2006|
|Sun Microsystems, Inc.||Affected||08 Mar 2005||10 Aug 2006|
|Netscape Communications Corporation||Unknown||08 Mar 2005||10 Aug 2006|
|Novell, Inc.||Unknown||08 Mar 2005||10 Aug 2006|
CVSS Metrics (Learn More)
Thanks to JPCERT/CC and IPA for reporting this vulnerability.
This document was written by Katie Washok and Art Manion.
- CVE IDs: CVE-2006-2501
- Date Public: 08 Mar 2005
- Date First Published: 10 Aug 2006
- Date Last Updated: 15 Aug 2006
- Severity Metric: 14.50
- Document Revision: 32
If you have feedback, comments, or additional information about this vulnerability, please send us email.