CVE-2009-0038

Apache Geronimo Application Server <2.1.3 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.

Exploits (2)

exploitdb WRITEUP VERIFIED

by DSecRG · textremotemultiple

https://www.exploit-db.com/exploits/32920

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by DSecRG · textremotemultiple

https://www.exploit-db.com/exploits/32921

View Code ZIP pw:eip

References (7)

[Exploit] http://dsecrg.com/pages/vul/show.php?id=119

[Patch, Vendor Advisory] http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214

[Patch] http://issues.apache.org/jira/browse/GERONIMO-4597

[Exploit] http://www.securityfocus.com/bid/34562

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/502734/100/0/threaded

[Third Party Advisory] http://secunia.com/advisories/34715

[Third Party Advisory] http://www.vupen.com/english/advisories/2009/1089

Scores

EPSS 0.2367

EPSS Percentile 96.0%

Details

CWE

CWE-79

Status published

Products (5)

apache/geronimo 2.1

apache/geronimo 2.1.1

apache/geronimo 2.1.2

apache/geronimo 2.1.3

org.apache.geronimo.plugins/console 2.1.0 - 2.1.4Maven

Published Apr 17, 2009

Tracked Since Feb 18, 2026