Vulnerability Name:

CVE-2009-4052 (CCN-54360)

Assigned:2009-11-19
Published:2009-11-19
Updated:2017-08-17
Summary:Multiple cross-site scripting (XSS) vulnerabilities in the JSF Widget Library Runtime in IBM Rational Application Developer for WebSphere Software before 7.0.0.10 and Rational Software Architect before 7.0.0.10 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) the JSF Tree Control and (2) the JavaScript Resource Servlet.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2009-4052

Source: CCN
Type: SA37442
IBM Rational Products Cross-Site Scripting Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
37442

Source: AIXAPAR
Type: Vendor Advisory
PK90616

Source: AIXAPAR
Type: Vendor Advisory
PK94324

Source: CCN
Type: IBM Support and Downloads Web Site
Fixed APAR list for IBM Rational Application Developer for WebSphere Software version 7.0 fix packs

Source: CONFIRM
Type: Patch
http://www-01.ibm.com/support/docview.wss?uid=swg27012378

Source: CONFIRM
Type: Patch
http://www-01.ibm.com/support/docview.wss?uid=swg27012558

Source: OSVDB
Type: UNKNOWN
60319

Source: CCN
Type: OSVDB ID: 60319
IBM Rational Multiple Products JSF Widget Library Runtime Unspecified XSS

Source: BID
Type: UNKNOWN
37083

Source: CCN
Type: BID-37083
IBM Rational Products Multiple Cross Site Scripting Vulnerabilities

Source: XF
Type: UNKNOWN
rational-jsf-widget-xss(54360)

Source: XF
Type: UNKNOWN
rational-jsf-widget-xss(54360)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:rational_application_developer_for_websphere:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_application_developer_for_websphere:7.0.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_software_architect:7.0.0.9:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm rational application developer for websphere 7.0
    ibm rational application developer for websphere 7.0.0.1
    ibm rational application developer for websphere 7.0.0.2
    ibm rational application developer for websphere 7.0.0.3
    ibm rational application developer for websphere 7.0.0.4
    ibm rational application developer for websphere 7.0.0.5
    ibm rational application developer for websphere 7.0.0.6
    ibm rational application developer for websphere 7.0.0.7
    ibm rational application developer for websphere 7.0.0.8
    ibm rational application developer for websphere 7.0.0.9
    ibm rational software architect 7.0.0.0
    ibm rational software architect 7.0.0.1
    ibm rational software architect 7.0.0.2
    ibm rational software architect 7.0.0.3
    ibm rational software architect 7.0.0.4
    ibm rational software architect 7.0.0.5
    ibm rational software architect 7.0.0.6
    ibm rational software architect 7.0.0.7
    ibm rational software architect 7.0.0.8
    ibm rational software architect 7.0.0.9