Vulnerability Name:

CVE-2007-2904 (CCN-29939)

Assigned:2006-10-31
Published:2006-10-31
Updated:2008-11-15
Summary:Cross-site scripting (XSS) vulnerability in Sun Java System Messaging Server 6.0 through 6.3, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly a related issue to CVE-2006-5653.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Full-Disclosure Mailing List, Mon Oct 30 2006 - 22:20:11 CST
Sun java System Messenger Express XSS

Source: MITRE
Type: CNA
CVE-2006-5653

Source: MITRE
Type: CNA
CVE-2007-2904

Source: OSVDB
Type: UNKNOWN
38146

Source: CCN
Type: SA22663
Sun Java System Messenger Express "error" Cross-Site Scripting

Source: CCN
Type: SECTRACK ID: 1018106
Sun Java System Messaging Server Input Validation Hole Permits Cross-Site Scripting Attacks

Source: CCN
Type: Sun Alert ID: 102909
Cross-site Scripting Vulnerability in Sun Java System Messaging Server

Source: SUNALERT
Type: Patch, Vendor Advisory
102909

Source: CCN
Type: ASA-2007-213
Cross-site Scripting Vulnerability in Sun Java System Messaging Server (Sun 102909)

Source: CCN
Type: OSVDB ID: 38146
Sun Java System Messaging Server Unspecified XSS

Source: CCN
Type: OSVDB ID: 49836
Sun Java System Messaging Server Unspecified XSS

Source: CCN
Type: BID-20832
Sun Java System Messenger Express Cross-Site Scripting Vulnerability

Source: SECTRACK
Type: UNKNOWN
1018106

Source: CCN
Type: Sun Java System Messaging Server Web site
Sun Java System Messaging Server

Source: XF
Type: UNKNOWN
sun-messaging-index-xss(29939)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sun:java_system_messaging_server:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_messaging_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_messaging_server:6.2:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_messaging_server:6.3:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sun:java_system_messaging_server:6.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_2000_advanced_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:sun:solaris:8::sparc:*:*:*:*:*
  • OR cpe:/o:sun:solaris:9::x86:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10::sparc:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10::x86:*:*:*:*:*
  • OR cpe:/o:sun:solaris:9::sparc:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sun java system messaging server 6.0
    sun java system messaging server 6.1
    sun java system messaging server 6.2
    sun java system messaging server 6.3
    sun java system messaging server 6.0
    microsoft windows 2000 advanced server *
    redhat enterprise linux 2.1
    redhat enterprise linux 3
    sun solaris 8
    sun solaris 9
    sun solaris 10
    sun solaris 10
    sun solaris 9