CVE-2009-1729

EPSS 5.3%

Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Communications Express 6 2005Q4 (aka 6.2) and 6.3 allow remote attackers to inject arbitrary web script or HTML via (1) the abperson_displayName parameter to uwc/abs/search.xml in the Add Contact implementation in the Personal Address Book component or (2) the temporaryCalendars parameter to uwc/base/UWCMain.

Affected products

n/a · n/a

public PoCs found — 2

exploitdbwww.exploit-db.com/exploits/32863unverified exploitdbwww.exploit-db.com/exploits/32864unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://osvdb.org/54609 http://osvdb.org/54610 http://seclists.org/fulldisclosure/2009/May/0177.html http://secunia.com/advisories/32474 http://securitytracker.com/alerts/2009/May/1022266.html https://exchange.xforce.ibmcloud.com/vulnerabilities/50658 http://sunsolve.sun.com/search/document.do?assetkey=1-21-122793-26-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-258068-1 http://www.coresecurity.com/content/sun-communications-express http://www.securityfocus.com/archive/1/503675/100/0/threaded http://www.securityfocus.com/bid/34154 http://www.securityfocus.com/bid/34155