CVE-2011-3606: XSS
First published: Mon Oct 03 2011(Updated: )
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Jboss Application Server | =7.0.0 | |
| Redhat Jboss Application Server | =7.0.1 | |
| Redhat Jboss Application Server | =7.0.2 | |
| Redhat Jboss Application Server | =7.0.0-alpha1 | |
| Redhat Jboss Application Server | =7.0.0-beta1 | |
| Redhat Jboss Application Server | =7.0.0-beta2 | |
| Redhat Jboss Application Server | =7.0.0-beta3 | |
| Redhat Jboss Application Server | =7.0.0-cr1 | |
| debian/jbossas4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2011-3606 https://nvd.nist.gov/vuln/detail/CVE-2011-3606
- https://bugzilla.redhat.com/show_bug.cgi?id=742984
- https://access.redhat.com/security/cve/cve-2011-3606
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=742984#c4
- http://localhost:9990/console/App.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=742984#c6
- https://github.com/heiko-braun/as7-console/commit/6e9146067cc05ea3c84305aa159d9c5036fe4383
- https://security-tracker.debian.org/tracker/CVE-2011-3606
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
Frequently Asked Questions
What is CVE-2011-3606?
CVE-2011-3606 is a DOM based cross-site scripting vulnerability found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console.
How does CVE-2011-3606 work?
An attacker can provide a specially-crafted web page and trick a valid JBoss AS user with administrator privileges to visit it, leading to DOM exploitation.
What is the severity of CVE-2011-3606?
The severity of CVE-2011-3606 is rated as medium with a CVSS score of 5.4.
Which software versions are affected by CVE-2011-3606?
JBoss Application Server versions 7.0.0, 7.0.1, and 7.0.2 are affected by CVE-2011-3606.
How can CVE-2011-3606 be fixed?
Update JBoss Application Server to version 7.1.0 Beta 1 or later, which includes a fix for the vulnerability.
- collector/redhat-cve
- collector/redhat-bugzilla
- alias/CVE-2011-3606
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/description
- agent/tags
- agent/event
- vendor/redhat
- canonical/redhat jboss application server
- version/redhat jboss application server/7.0.0
- version/redhat jboss application server/7.0.1
- version/redhat jboss application server/7.0.2
- version/redhat jboss application server/7.0.0-alpha1
- version/redhat jboss application server/7.0.0-beta1
- version/redhat jboss application server/7.0.0-beta2
- version/redhat jboss application server/7.0.0-beta3
- version/redhat jboss application server/7.0.0-cr1
- package-manager/debian