The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability alert CVE-2006-5653 CVE-2007-2904

Sun Java System Messaging: Cross Site Scripting of errorHTML

Synthesis of the vulnerability

An attacker may execute Javascript code in the browser of an user, by using a malicious email.
Vulnerable systems: Sun Messaging.
Severity of this threat: 2/4.
Consequences of an attack: client access/rights.
Pirate's origin: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 24/05/2007.
Références of this weakness: 102909, 6509577, BID-20832, CVE-2006-5653, CVE-2007-2904, VIGILANCE-VUL-6836.

Description of the vulnerability

The Webmail service can be activated on Sun Java System Messaging Server in order to provide a web access to mailboxes.

The errorHTML() function of the script indexing the root directory does not correctly filter the "error" parameter. Data from this parameter are thus displayed on the website.

An attacker may therefore send an email in order to execute Javascript code in user's browser.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.