Eric Hobbs has reported a vulnerability in Sun Java System Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks.
The vulnerability is caused due to an unspecified input validation error and can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
The following versions are affected:
* Sun Java System Application Server Standard Edition 7 Update Release 5 and prior
* Sun Java System Application Server Platform Edition 7 Update Release 5 and prior
* Sun Java System Application Server 7 2004Q2 Standard Edition Update Release 1 and prior
* Sun Java System Application Server 7 2004Q2 Enterprise Edition Update Release 1 and prior
SOFTWARE:
Sun Java System Application Server (Sun ONE) 7.x
SOLUTION:
The vendor has issued updated versions.
Sun Java System Application Server 7 Standard Edition Update 6:
http://www.sun.com/download/products.xml?id=41c239a4
Sun Java System Application Server 7 Platform Edition Update 6:
http://www.sun.com/download/products.xml?id=41c374e2
Sun Java System Application Server 7 2004Q2 Standard Edition Update
2:
http://www.sun.com/download/products.xml?id=41e32dfb
Sun Java System Application Server 7 2004Q2 Enterprise Edition Update
2:
https://osc-amer.sun.com/OSCSW/svcportal?pageName=clselection
PROVIDED AND/OR DISCOVERED BY:
Eric Hobbs, MagnaWare.
ORIGINAL ADVISORY:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57742-1
VERIFY ADVISORY:
http://secunia.com/advisories/14677/
Secunia Security Advisories
http://community.securityteam.us/article.php/20050328084215974