The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Sun Java System Calendar: three vulnerabilities

Synthesis of the vulnerability 

Three vulnerabilities of Sun Java System Calendar Server can be used by an attacker to create a two Cross Site Scripting and a denial of service.
Vulnerable software: Sun Calendar.
Severity of this announce: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 01/04/2009.
Références of this computer vulnerability: 255008, 256228, 6728790, 6793984, BID-34150, BID-34152, BID-34153, CORE-2009-0108, CVE-2009-1218, CVE-2009-1219, VIGILANCE-VUL-8581.

Description of the vulnerability 

Three vulnerabilities were annonced in Sun Java System Calendar Server.

The "Fmt-out" parameter of the https://server:3443/login.wcap page is not filtered before being displayed, which leads to a Cross Site Scripting. [severity:2/4; 256228, 6793984, BID-34152, CVE-2009-1218]

The "date" parameter of the https://server:3443/command.shtml page is not filtered before being displayed, which leads to a Cross Site Scripting. [severity:2/4; 256228, 6793984, BID-34153, CVE-2009-1218]

When the attacker uses the "tzid" parameter twice, the web server stops. [severity:2/4; 255008, 6728790, BID-34150, CVE-2009-1219]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Sun Calendar.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 3 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this threat note.

Solutions for this threat 

Sun Java System Calendar: patch.
A patch is available (for version 6.3):
  SPARC Platform : patch 121657-34
  x86 Platform : patch 121658-34
  Linux : patch 121659-34
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides systems vulnerabilities bulletins. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.