Cross-Site Scripting Vulnerability in Sun Java System Communications Express
CVE-2010-1227

Currently unrated

Key Information:

Vendor: Oracle
Status: Java System Communications Express
Vendor: CVE Published:; 1 April 2010

Summary

A cross-site scripting (XSS) vulnerability exists in Sun Java System Communications Express versions 6.2 and 6.3. This flaw enables remote attackers to inject arbitrary web scripts or HTML through the subject field of a message. The exploit can lead to serious security implications, as demonstrated when an attacker includes an IMG element with a SRC attribute leading to cross-site request forgery (CSRF) attacks using the cmd and argv parameters to cmd.msc. Organizations using affected versions should implement necessary security patches to mitigate risks associated with this vulnerability.

References

http://www.securityfocus.com/archive/1/510154/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://www.vupen.com/english/advisories/2011/0157

vdb-entryx_refsource_VUPEN

http://www.oracle.com/technetwork/topics/security/cpujan2...

x_refsource_CONFIRM

Timeline

Vulnerability published
Apr 1, 2010
Vulnerability Reserved
Apr 1, 2010