Vulnerability CVE-2006-0254 - CERT Civis.Net

Vulnerability Name:

CVE-2006-0254 (CCN-24159)

Assigned:

2006-01-16

Published:

2006-01-16

Updated:

2018-10-19

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer.

CVSS v3 Severity:

3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2006-0254

Source: CCN
Type: The Apache Software Foundation Web site
[GERONIMO-1474] Cross site scripting vulnerabilites

Source: MISC
Type: Exploit, Vendor Advisory
http://issues.apache.org/jira/browse/GERONIMO-1474

Source: CCN
Type: RHSA-2006-0161
RHAPS security and enhancement update

Source: CCN
Type: RHSA-2006-0592
tomcat security update for Red Hat Application Server

Source: CCN
Type: RHSA-2008-0261
Moderate: Red Hat Network Satellite Server security update

Source: CCN
Type: RHSA-2008-0524
Low: Red Hat Network Satellite Server security update

Source: CCN
Type: RHSA-2008-0630
Low: Red Hat Network Satellite Server security update

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0630

Source: CCN
Type: SA18485
Apache Geronimo Web-Access-Log Viewer Script Insertion

Source: SECUNIA
Type: Vendor Advisory
18485

Source: SECUNIA
Type: UNKNOWN
31493

Source: CCN
Type: oliverkarow.de
Apache Geronimo 1.0 - CSS and persistent HTML-Injection vulnerabilities

Source: MISC
Type: Exploit, Vendor Advisory
http://www.oliverkarow.de/research/geronimo_css.txt

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0261

Source: BUGTRAQ
Type: UNKNOWN
20060115 Apache Geronimo 1.0 - CSS and persistent HTML-Injectionvulnerabilities

Source: BID
Type: Exploit
16260

Source: CCN
Type: BID-16260
Apache Geronimo Multiple Input Validation Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2006-0217

Source: XF
Type: UNKNOWN
geronimo-jspexamples-xss(24158)

Source: XF
Type: UNKNOWN
geronimo-webaccesslog-viewer-xss(24159)

Source: XF
Type: UNKNOWN
geronimo-webaccesslog-viewer-xss(24159)

Source: CONFIRM
Type: UNKNOWN
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&styleName=Html&projectId=10220&Create=Create

Source: CCN
Type: IBM Security Bulletin 728841 (Sterling B2B Integrator)
Multiple Security Vulnerabilities in Apache Geronimo Affect IBM Sterling B2B Integrator

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:geronimo:1.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:geronimo:1.0:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*

OR cpe:/a:redhat:rhel_application_server:2:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.1:*:*:*:standard:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:5.2.6.3:*:*:*:*:*:*:*

Denotes that component is vulnerable