CVE-2009-0038

Apache Geronimo Application Server <2.1.3 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.

Exploits (2)

exploitdb WRITEUP VERIFIED

by DSecRG · textremotemultiple

https://www.exploit-db.com/exploits/32921

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by DSecRG · textremotemultiple

https://www.exploit-db.com/exploits/32920

View Code ZIP pw:eip

References (7)

[Exploit] http://dsecrg.com/pages/vul/show.php?id=119

[Patch, Vendor Advisory] http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214

[Patch] http://issues.apache.org/jira/browse/GERONIMO-4597

[Exploit] http://www.securityfocus.com/bid/34562

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/502734/100/0/threaded

[Third Party Advisory] http://secunia.com/advisories/34715

[Third Party Advisory] http://www.vupen.com/english/advisories/2009/1089

Scores

EPSS 0.2367

EPSS Percentile 95.9%

Classification

CWE

CWE-79

Status draft

Affected Products (5)

apache/geronimo

apache/geronimo

apache/geronimo

apache/geronimo

org.apache.geronimo.plugins/console < 2.1.4Maven

Timeline

Published Apr 17, 2009

Tracked Since Feb 18, 2026