CVE-2009-0038 — Apache Geronimo Application Server multiple cross-site scripting (XSS) vulnerabi

Description

Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.

How to fix CVE-2009-0038

To remediate CVE-2009-0038, upgrade the affected package to a fixed version below.

Maven/org.apache.geronimo.plugins:console—upgrade to 2.1.4 or later

Is CVE-2009-0038 being exploited?

Moderate — EPSS is 26.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.1.0, < 2.1.4

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2009-0038
PATCHgithub.com/apache/geronimo
WEBgeronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214
WEBissues.apache.org/jira/browse/GERONIMO-4597