Vulnerability Note VU#305208
Caucho Resin vulnerable to XSS via "file" parameter to "viewfile"
Overview
The "viewfile" command provided by Caucho Resin contains a cross-site scripting (XSS) vulnerability in the "file" parameter.
Description
Caucho Resin is a Java-based application server. The "viewfile" command that is provided with the Resin documentation is vulnerable to XSS via the "file" parameter. |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary script within the context of the Resin web pages. |
Solution
Apply an update This issue is resolved in Resin 3.0.25 and 3.1.4. Note that the vendor does not recommend including the Resin documentation on production web servers, which would prevent the vulnerable command from being exposed. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Caucho Technology | Affected | 28 Nov 2007 | 25 Jun 2008 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.caucho.com/
- http://www.caucho.com/resin/changes/changes-31.xtp#3.1.4%20-%20Dec%205,%202007
Credit
Thanks to Tomasz Kuczynski for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2008-2462
- Date Public: 05 Dec 2007
- Date First Published: 25 Jun 2008
- Date Last Updated: 25 Jun 2008
- Severity Metric: 5.94
- Document Revision: 2
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.