CVE-2009-2897

EUVD-2009-2887
Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/GenericError.jsp in the generic exception handler in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x before 4.0.3.1, 4.1.x before 4.1.2.1, and 4.2-beta1; Application Management Suite (AMS) 2.0.0.SR3; and tc Server 6.0.20.B allow remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters, as demonstrated by an uncaught java.lang.NumberFormatException exception resulting from (1) the typeId parameter to mastheadAttach.do, (2) the eid parameter to Resource.do, and (3) the u parameter in a view action to admin/user/UserAdmin.do.  NOTE: some of these details are obtained from third party information.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Affected Products (NVD)
VendorProductVersion
springsourceapplication_management_suite
2.0.0:sr3
springsourcehyperic_hq
3.2:beta_1
springsourcehyperic_hq
3.2.0
springsourcehyperic_hq
3.2.1
springsourcehyperic_hq
3.2.2
springsourcehyperic_hq
3.2.3
springsourcehyperic_hq
3.2.4
springsourcehyperic_hq
3.2.5
springsourcehyperic_hq
3.2.6
springsourcehyperic_hq
4.0.0
springsourcehyperic_hq
4.0.1
springsourcehyperic_hq
4.0.2
springsourcehyperic_hq
4.0.3
springsourcehyperic_hq
4.1.0
springsourcehyperic_hq
4.1.1
springsourcehyperic_hq
4.1.2
springsourcehyperic_hq
4.2:beta_1
springsourcetc_server
6.0.20:b
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=advisory&name=Hyperic_HQ_Multiple_XSS
http://forums.hyperic.com/jiveforums/thread.jspa?messageID=22156&#22156
http://jira.hyperic.com/browse/HHQ-2655
http://secunia.com/advisories/36935
http://www.coresecurity.com/content/hyperic-hq-vulnerabilities
http://www.osvdb.org/58608
http://www.osvdb.org/58609
http://www.osvdb.org/58610
http://www.securityfocus.com/archive/1/506935/100/0/threaded
http://www.securityfocus.com/archive/1/506936/100/0/threaded
http://www.springsource.com/security/hyperic-hq
https://exchange.xforce.ibmcloud.com/vulnerabilities/53658
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=advisory&name=Hyperic_HQ_Multiple_XSS
http://forums.hyperic.com/jiveforums/thread.jspa?messageID=22156&#22156
http://jira.hyperic.com/browse/HHQ-2655
http://secunia.com/advisories/36935
http://www.coresecurity.com/content/hyperic-hq-vulnerabilities
http://www.osvdb.org/58608
http://www.osvdb.org/58609
http://www.osvdb.org/58610
http://www.securityfocus.com/archive/1/506935/100/0/threaded
http://www.securityfocus.com/archive/1/506936/100/0/threaded
http://www.springsource.com/security/hyperic-hq
https://exchange.xforce.ibmcloud.com/vulnerabilities/53658