Cross-site scripting in JBoss Application Server - CVE-2011-3606
Published: November 26, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35038
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2011-3606
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
JBoss Application Server
JBoss Application Server
Detailed vulnerability description
The vulnerability allows a remote authenticated user to read and manipulate data.
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
How to mitigate CVE-2011-3606
Install update from vendor's website.