CVE-2009-0038

Apache Geronimo Application Server <2.1.3 - XSS

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-0038. PoCs published by DSecRG.

AI-analyzed exploit summary The provided text describes multiple vulnerabilities in Apache Geronimo Application Server, including XSS and directory traversal issues. It includes example payloads for XSS exploitation but lacks executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.

Exploits (2)

exploitdb WRITEUP VERIFIED

by DSecRG · textremotemultiple

https://www.exploit-db.com/exploits/32920

View Code ZIP pw:eip

The provided text describes multiple vulnerabilities in Apache Geronimo Application Server, including XSS and directory traversal issues. It includes example payloads for XSS exploitation but lacks executable exploit code.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Theoretical

Target: Apache Geronimo 2.1 through 2.1.3

No auth needed

Prerequisites: Access to the vulnerable web interface

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by DSecRG · textremotemultiple

https://www.exploit-db.com/exploits/32921

View Code ZIP pw:eip

The provided text describes multiple vulnerabilities in Apache Geronimo Application Server, including directory traversal, XSS, HTML injection, and CSRF. It includes a sample XSS payload but lacks executable exploit code.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Theoretical

Target: Apache Geronimo 2.1 through 2.1.3

No auth needed

Prerequisites: Access to a vulnerable Apache Geronimo instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Patch, Vendor Advisory x_refsource_confirm

http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1089

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/34562

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/502734/100/0/threaded

Patch x_refsource_confirm

http://issues.apache.org/jira/browse/GERONIMO-4597

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34715

Exploit x_refsource_misc

http://dsecrg.com/pages/vul/show.php?id=119

Scores

EPSS 0.2631

EPSS Percentile 96.4%

Details

CWE

CWE-79

Status published

Products (5)

apache/geronimo 2.1

apache/geronimo 2.1.1

apache/geronimo 2.1.2

apache/geronimo 2.1.3

org.apache.geronimo.plugins/console 2.1.0 - 2.1.4Maven

Published Apr 17, 2009

Tracked Since Feb 18, 2026