[Japanese]

JVNDB-2006-000293

Sun Java System Web Server cross-site scripting vulnerability

Overview

Sun Java System Web Server (originally called Sun ONE Web Server) contains a cross-site scripting vulnerability. A vulnerable web server does not adequately validate the HTTP REFERER header before using the contents in the default error page.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Sun Microsystems, Inc.
  • Sun Java System Application Server 7 2004Q2 Standard Edition Update 2 and earlier
  • Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 2 and earlier
  • Sun Java System Web Server 6.0 SP9 and earlier
  • Sun Java System Web Server 6.1 SP4 and earlier
  • Sun ONE Application Server 7 Platform Edition Update 6 and earlier
  • Sun ONE Application Server 7 Standard Edition Update 6 and earlier

Impact

A malicious script may be executed on the user's web browser.
Solution

Vendor Information

Sun Microsystems, Inc.
  • Sun Alert Notification : 102164
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2006-2501
References

  1. JVN : JVN#03D5EAA8
  2. National Vulnerability Database (NVD) : CVE-2006-2501
  3. US-CERT Vulnerability Note : VU#114956
  4. SecurityFocus : 18035
Revision History

  • [2008/05/21]
      Web page published