CVE-2006-0254

Apache Geronimo < 1.1 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Oliver Karow · textremotemultiple

https://www.exploit-db.com/exploits/27095

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by Oliver Karow · textremotemultiple

https://www.exploit-db.com/exploits/27096

View Code ZIP pw:eip

References (12)

[Exploit, Vendor Advisory] http://issues.apache.org/jira/browse/GERONIMO-1474

[Vendor Advisory] http://secunia.com/advisories/18485

[Exploit, Vendor Advisory] http://www.oliverkarow.de/research/geronimo_css.txt

[Exploit] http://www.securityfocus.com/bid/16260

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/24158

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/24159

[Various Sources] https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&styleName=Html&projectId=10220&Create=Create

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2008-0630.html

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2008-0261.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/421996/100/0/threaded

[Third Party Advisory] http://secunia.com/advisories/31493

[Third Party Advisory] http://www.vupen.com/english/advisories/2006/0217

Scores

EPSS 0.4532

EPSS Percentile 97.6%

Details

Status published

Products (2)

apache/geronimo 1.0

geronimo/geronimo-console-standard 0 - 1.1Maven

Published Jan 18, 2006

Tracked Since Feb 18, 2026