Vulnerability Note VU#305208
Caucho Resin vulnerable to XSS via "file" parameter to "viewfile"
The "viewfile" command provided by Caucho Resin contains a cross-site scripting (XSS) vulnerability in the "file" parameter.
Caucho Resin is a Java-based application server. The "viewfile" command that is provided with the Resin documentation is vulnerable to XSS via the "file" parameter.
A remote, unauthenticated attacker may be able to execute arbitrary script within the context of the Resin web pages.
Apply an update
This issue is resolved in Resin 3.0.25 and 3.1.4. Note that the vendor does not recommend including the Resin documentation on production web servers, which would prevent the vulnerable command from being exposed.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Caucho Technology||Affected||28 Nov 2007||25 Jun 2008|
CVSS Metrics (Learn More)
Thanks to Tomasz Kuczynski for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: CVE-2008-2462
- Date Public: 05 Dec 2007
- Date First Published: 25 Jun 2008
- Date Last Updated: 25 Jun 2008
- Severity Metric: 5.94
- Document Revision: 2
If you have feedback, comments, or additional information about this vulnerability, please send us email.