Executive Summary
| Summary | |
|---|---|
| Title | Sun Alert 103180 Multiple Security Vulnerabilities in the Sun Java System Identity Manager May Allow HTML Injection, Cross-Site Scripting Exploits or Unauthorized Redirection |
| Informations | |||
|---|---|---|---|
| Name | SUN-103180 | First vendor Publication | 2008-01-09 |
| Vendor | Sun | Last vendor Modification | 2008-01-16 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 5.8 | Attack Range | Network |
| Cvss Impact Score | 4.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Product: Sun Java System Identity Manager 7.0, Sun Java System Identity Manager 6.0, Sun Java System Identity Manager 7.1 Sun Java System Identity Manager is affected by multiple security vulnerabilties with varying impacts. Four Cross-site Scripting (XSS) vulnerabilities may allow local or remote unprivileged users the ability to execute unauthorized scripting code in a user's browser when that user clicks a link to Sun Java System Identity Manager. In addition, a further vulnerability may allow a local or remote unprivileged user to inject unauthorized HTML code into a user's browser when that user clicks a link to Sun Java System Identity Manager. Two additional vulnerabilities may allow a local or remote unprivileged user to redirect the browser to unintended remote sites or to inject frames containing data from unintended sites. Sun would like to acknowledge with thanks, Adrian Pastor and Jan Fry of ProCheckUp Ltd. for bringing 6 of these issues to our attention. Avoidance: Patch State: Resolved First released: 09-Jan-2008 |
Original Source
| Url : http://blogs.sun.com/security/entry/sun_alert_103180_multiple_security |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 67 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
| 33 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 43279 | Sun Java System Identity Manager /idm/help/index.jsp helpUrl Variable Remote ... |
| 42024 | Sun Java System Identity Manager /idm/user/login.jsp nextPage Variable Arbitr... |
| 40750 | Sun Java System Identity Manager /idm/user/main.jsp activeControl Parameter XSS Sun Java System Identity Manager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "activeControl" parameter upon submission to the "/idm/user/main.jsp" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
| 40749 | Sun Java System Identity Manager /idm/account/findForSelect.jsp resultsForm P... |
| 40748 | Sun Java System Identity Manager /idm/login.jsp Multiple Parameter XSS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2008-01-11 | Name : The remote web server contains an application that is affected by multiple cr... File : sun_idm_xss.nasl - Type : ACT_ATTACK |
