19 Jul Security Advisory – SOS-11-009 – Oracle Sun GlassFish Enterprise Server Stored XSS Vulnerability
Release Date: 19-Jul-2011
Last Update: –
Vendor Notification Date: 23-Mar-2011
Product: Sun GlassFish Enterprise Server
Platform: Java EE
Affected versions: 2.1.1 ((v2.1 Patch06)(9.1_02 Patch12))(build b31g-fcs) verified, possibly others
Severity Rating: Medium
Impact: Cookie/credential theft, impersonation, loss of confidentiality
Attack Vector: Remote without authentication
Solution Status: Vendor patch
CVE reference: CVE-2011-2260
Oracle Bug ID: 7030596
GlassFish is an open source application server project led by Sun Microsystems for the Java EE platform. The proprietary version is called Sun GlassFish Enterprise Server. GlassFish supports all Java EE API specifications, such as JDBC, RMI, e-mail, JMS, web services, XML, etc, and defines how to coordinate them.
Please refer to the PDF version of this advisory for proof of concept code examples.
Apply the vendor patch.
Sense of Security Labs.