CVE-2008-2751 (CNNVD-200806-251)

MEDIUM 有利用代码
中文标题:
Sun Java system Glassfish Glassfish webadmin界面多个跨站脚本攻击漏洞
英文标题:
Multiple cross-site scripting (XSS) vulnerabilities in the Glassfish webadmin interface in Sun Java ...
CVSS分数: 4.3
发布时间: 2008-06-18 19:29:00
漏洞类型: 跨站脚本
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v10
漏洞描述
中文描述:

Sun Java System 应用程序服务器9.1_01版本中的Glassfish webadmin界面存在多个跨站脚本漏洞。远程攻击者可以借助到(a)resourceNode/customResourceNew.jsf的(1)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew,(2)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType,(3)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass,或(4)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc参数;到(b)resourceNode/externalResourceNew.jsfthe的(5)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew,(6)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType,(7)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass,(8)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiLookupProp:jndiLookup,或(9) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc参数;到(c)resourceNode/jmsDestinationNew.jsf的(10)propertyForm:propertySheet:propertSectionTextField:jndiProp:Jndi,(11)propertyForm:propertySheet:propertSectionTextField:nameProp:name,或(12)propertyForm:propertySheet:propertSectionTextField:descProp:desc参数;到(d)resourceNode/jmsConnectionNew.jsf的(13)propertyForm:propertySheet:generalPropertySheet:jndiProp:Jndi或(14)propertyForm:propertySheet:generalPropertySheet:descProp:cd 参数;到(e)resourceNode/jdbcResourceNew.jsf的(15)propertyForm:propertySheet:propertSectionTextField:jndiProp:jnditext或(16)propertyForm:propertySheet:propertSectionTextField:descProp:desc参数;到(f)applications/lifecycleModulesNew.jsf的(17)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:nameProp:name,(18)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:classNameProp:classname,或(19)propertyForm:propertyContentPage:propertySheet:propertSectionTextField:loadOrderProp:loadOrder参数;到(g)resourceNode/jdbcConnectionPoolNew1.jsf的(20)propertyForm:propertyContentPage:propertySheet:generalPropertySheet:jndiProp:name,(21)propertyForm:propertyContentPage:propertySheet:generalPropertySheet:resTypeProp:resType,或(22)propertyForm:propertyContentPage:propertySheet:generalPropertySheet:dbProp:db参数,注入任意的web脚本或HTML。

英文描述:

Multiple cross-site scripting (XSS) vulnerabilities in the Glassfish webadmin interface in Sun Java System Application Server 9.1_01 allow remote attackers to inject arbitrary web script or HTML via the (1) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew, (2) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType, (3) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass, or (4) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc parameter to (a) resourceNode/customResourceNew.jsf; the (5) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew, (6) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType, (7) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass, (8) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiLookupProp:jndiLookup, or (9) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc parameter to (b) resourceNode/externalResourceNew.jsf; the (10) propertyForm:propertySheet:propertSectionTextField:jndiProp:Jndi, (11) propertyForm:propertySheet:propertSectionTextField:nameProp:name, or (12) propertyForm:propertySheet:propertSectionTextField:descProp:desc parameter to (c) resourceNode/jmsDestinationNew.jsf; the (13) propertyForm:propertySheet:generalPropertySheet:jndiProp:Jndi or (14) propertyForm:propertySheet:generalPropertySheet:descProp:cd parameter to (d) resourceNode/jmsConnectionNew.jsf; the (15) propertyForm:propertySheet:propertSectionTextField:jndiProp:jnditext or (16) propertyForm:propertySheet:propertSectionTextField:descProp:desc parameter to (e) resourceNode/jdbcResourceNew.jsf; the (17) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:nameProp:name, (18) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:classNameProp:classname, or (19) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:loadOrderProp:loadOrder parameter to (f) applications/lifecycleModulesNew.jsf; or the (20) propertyForm:propertyContentPage:propertySheet:generalPropertySheet:jndiProp:name, (21) propertyForm:propertyContentPage:propertySheet:generalPropertySheet:resTypeProp:resType, or (22) propertyForm:propertyContentPage:propertySheet:generalPropertySheet:dbProp:db parameter to (g) resourceNode/jdbcConnectionPoolNew1.jsf.

CWE类型:
CWE-79
标签:
remote multiple Eduardo Jorge OSVDB-46724 OSVDB-46725 OSVDB-46726 OSVDB-46727 OSVDB-46728 OSVDB-46729 OSVDB-46730
受影响产品
厂商 产品 版本 版本范围 平台 CPE
oracle glassfish_server 1.0 - - cpe:2.3:a:oracle:glassfish_server:1.0:*:*:*:*:*:*:*
oracle glassfish_server 2.0 - - cpe:2.3:a:oracle:glassfish_server:2.0:*:*:*:*:*:*:*
oracle glassfish_server 2.1 - - cpe:2.3:a:oracle:glassfish_server:2.1:*:*:*:*:*:*:*
oracle glassfish_server 2.1.1 - - cpe:2.3:a:oracle:glassfish_server:2.1.1:*:*:*:*:*:*:*
oracle glassfish_server 3.0 - - cpe:2.3:a:oracle:glassfish_server:3.0:*:*:*:*:*:*:*
oracle glassfish_server 3.0.1 - - cpe:2.3:a:oracle:glassfish_server:3.0.1:*:*:*:*:*:*:*
sun java_system_application_server 9.1_01 - - cpe:2.3:a:sun:java_system_application_server:9.1_01:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
20080614 Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) ) mailing-list
cve.org
访问
glassfish-multiple-scripts-xss(42989) vdb-entry
cve.org
访问
3949 third-party-advisory
cve.org
访问
29751 vdb-entry
cve.org
访问
ExploitDB EDB-31922 EXPLOIT
exploitdb
访问
Download Exploit EDB-31922 EXPLOIT
exploitdb
访问
CVE Reference: CVE-2008-2751 ADVISORY
cve.org
访问
ExploitDB EDB-31923 EXPLOIT
exploitdb
访问
Download Exploit EDB-31923 EXPLOIT
exploitdb
访问
ExploitDB EDB-31924 EXPLOIT
exploitdb
访问
Download Exploit EDB-31924 EXPLOIT
exploitdb
访问
ExploitDB EDB-31925 EXPLOIT
exploitdb
访问
Download Exploit EDB-31925 EXPLOIT
exploitdb
访问
ExploitDB EDB-31926 EXPLOIT
exploitdb
访问
Download Exploit EDB-31926 EXPLOIT
exploitdb
访问
ExploitDB EDB-31927 EXPLOIT
exploitdb
访问
Download Exploit EDB-31927 EXPLOIT
exploitdb
访问
ExploitDB EDB-31928 EXPLOIT
exploitdb
访问
Download Exploit EDB-31928 EXPLOIT
exploitdb
访问
CVSS评分详情
4.3
MEDIUM
CVSS向量: AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS版本: 2.0
机密性
NONE
完整性
PARTIAL
可用性
NONE
时间信息
发布时间:
2008-06-18 19:29:00
修改时间:
2024-08-07 09:14:14
创建时间:
2025-11-11 15:32:52
更新时间:
2025-11-11 16:26:39
利用信息
此漏洞有可利用代码!
利用代码数量: 7
利用来源:
未知 未知 未知 未知 未知 未知 未知
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2008-2751 2025-11-11 15:18:01 2025-11-11 07:32:52
NVD nvd_CVE-2008-2751 2025-11-11 14:52:34 2025-11-11 07:41:39
CNNVD cnnvd_CNNVD-200806-251 2025-11-11 15:09:01 2025-11-11 07:49:27
EXPLOITDB exploitdb_EDB-31922 2025-11-11 15:05:28 2025-11-11 08:26:39
EXPLOITDB exploitdb_EDB-31923 2025-11-11 15:05:28 2025-11-11 08:26:39
EXPLOITDB exploitdb_EDB-31924 2025-11-11 15:05:28 2025-11-11 08:26:39
EXPLOITDB exploitdb_EDB-31925 2025-11-11 15:05:28 2025-11-11 08:26:39
EXPLOITDB exploitdb_EDB-31926 2025-11-11 15:05:28 2025-11-11 08:26:39
EXPLOITDB exploitdb_EDB-31927 2025-11-11 15:05:28 2025-11-11 08:26:39
EXPLOITDB exploitdb_EDB-31928 2025-11-11 15:05:28 2025-11-11 08:26:39
版本与语言
当前版本: v10
主要语言: EN
支持语言:
EN ZH
其他标识符:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
安全公告
暂无安全公告信息
变更历史
v10 EXPLOITDB
2025-11-11 16:26:39
references_count: 17 → 19; tags_count: 9 → 10
查看详细变更
  • references_count: 17 -> 19
  • tags_count: 9 -> 10
v9 EXPLOITDB
2025-11-11 16:26:39
references_count: 15 → 17; tags_count: 8 → 9
查看详细变更
  • references_count: 15 -> 17
  • tags_count: 8 -> 9
v8 EXPLOITDB
2025-11-11 16:26:39
references_count: 13 → 15; tags_count: 7 → 8
查看详细变更
  • references_count: 13 -> 15
  • tags_count: 7 -> 8
v7 EXPLOITDB
2025-11-11 16:26:39
references_count: 11 → 13; tags_count: 6 → 7
查看详细变更
  • references_count: 11 -> 13
  • tags_count: 6 -> 7
v6 EXPLOITDB
2025-11-11 16:26:39
references_count: 9 → 11; tags_count: 5 → 6
查看详细变更
  • references_count: 9 -> 11
  • tags_count: 5 -> 6
v5 EXPLOITDB
2025-11-11 16:26:39
references_count: 7 → 9; tags_count: 4 → 5
查看详细变更
  • references_count: 7 -> 9
  • tags_count: 4 -> 5
v4 EXPLOITDB
2025-11-11 16:26:39
references_count: 4 → 7; tags_count: 0 → 4; data_sources: ['cnnvd', 'cve', 'nvd'] → ['cnnvd', 'cve', 'exploitdb', 'nvd']
查看详细变更
  • references_count: 4 -> 7
  • tags_count: 0 -> 4
  • data_sources: ['cnnvd', 'cve', 'nvd'] -> ['cnnvd', 'cve', 'exploitdb', 'nvd']
v3 CNNVD
2025-11-11 15:49:27
vulnerability_type: 未提取 → 跨站脚本; cnnvd_id: 未提取 → CNNVD-200806-251; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 跨站脚本
  • cnnvd_id: 未提取 -> CNNVD-200806-251
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:41:39
cvss_score: 未提取 → 4.3; cvss_vector: NOT_EXTRACTED → AV:N/AC:M/Au:N/C:N/I:P/A:N; cvss_version: NOT_EXTRACTED → 2.0; affected_products_count: 0 → 7; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • cvss_score: 未提取 -> 4.3
  • cvss_vector: NOT_EXTRACTED -> AV:N/AC:M/Au:N/C:N/I:P/A:N
  • cvss_version: NOT_EXTRACTED -> 2.0
  • affected_products_count: 0 -> 7
  • data_sources: ['cve'] -> ['cve', 'nvd']