|
|
|
|
| |
Credit:
The information has been provided by SCS team.
The original article can be found at: http://www.coresecurity.com/content/sun-communications-express
|
| |
Vulnerable Systems:
* Sun Java System Communications Express version 6 2005Q4
* Sun Java System Communications Express version 6.3 (Communications Suite 5 or 6) without patch 122793-26.
Several cross-site scripting vulnerabilities were found in the following files/urls of the Sun Java System Communications Express :
1. 'https://<server>/uwc/abs/search.xml?'
2. 'http://<server>/uwc/base/UWCMain'
Cross-site scripting (XSS) vulnerabilities allow an attacker to execute arbitrary scripting code in the context of the user browser (in the vulnerable application's domain). For example, an attacker could exploit a XSS vulnerability to steal user cookies (and then impersonate the legitimate user) or fake a page requesting information to the user (i.e. credentials). This vulnerability occurs when user-supplied data is displayed without encoding.
Patch Availability:
The Sun Alert for this issue has been assigned id 258068 and it is available at the following URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-258068-1.
CVE Information:
CVE-2009-1729
|
|
|
|
|
