CVE-2009-0307

EUVD-2009-0312

22.04.2009, 18:30

Cross-site scripting (XSS) vulnerability in the "Customize Statistics Page" (admin/statistics/ConfigureStatistics) in the MDS Connection Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) before 4.1.6 MR5 allows remote attackers to inject arbitrary web script or HTML via the (1) customDate, (2) interval, (3) lastCustomInterval, (4) lastIntervalLength, (5) nextCustomInterval, (6) nextIntervalLength, (7) action, (8) delIntervalIndex, (9) addStatIndex, (10) delStatIndex, and (11) referenceTime parameters.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:N/I:P/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 87%

Affected Products (NVD)

Vendor	Product	Version
rim	blackberry_enterprise_server	𝑥 ≤ 4.1.6
rim	blackberry_enterprise_server	4.0
rim	blackberry_enterprise_server	4.0:sp3
rim	blackberry_enterprise_server	4.0.3
rim	blackberry_enterprise_server	4.1
rim	blackberry_enterprise_server	4.1:sp3
rim	blackberry_enterprise_server	4.1.3
rim	blackberry_enterprise_server	4.1.4
rim	blackberry_enterprise_server	4.1.5
rim	blackberry_enterprise_server	4.1.6