製品・ソフトウェアに関する情報

JVN脆弱性詳細

SpringSource tc Server などの製品におけるクロスサイトスクリプティングの脆弱性

Title	SpringSource tc Server などの製品におけるクロスサイトスクリプティングの脆弱性
Summary	SpringSource tc Server、Application Management Suite (AMS)、Hyperic HQ には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、description フィールドおよび不特定の "input フィールド" を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 23, 2010, midnight
Registration Date	Dec. 20, 2012, 7:28 p.m.
Last Update	Dec. 20, 2012, 7:28 p.m.

Affected System

SpringSource

application management suite 2.0.0.SR4 未満

Hyperic HQ 4.2.x 未満の Open Source、4.0.3.2 未満の 4.0 Enterprise、および 4.1.2.1 未満の 4.1 Enterprise

tc server 6.0.20.B およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-2907	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2907
National Vulnerability Database (NVD)
2	CVE-2009-2907	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2907
SpringSource
3	CVE-2009-2907: Multiple XSS vulnerabilities	http://support.springsource.com/security/cve-2009-2907

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

Change Log

No	Changed Details	Date of change
0	[2012年12月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-2907

Summary	Multiple cross-site scripting (XSS) vulnerabilities in SpringSource tc Server 6.0.20.B and earlier, Application Management Suite (AMS) before 2.0.0.SR4, Hyperic HQ Open Source before 4.2.x, Hyperic HQ 4.0 Enterprise before 4.0.3.2, and Hyperic HQ 4.1 Enterprise before 4.1.2.1 allow remote attackers to inject arbitrary web script or HTML via the description field and unspecified "input fields."
Summary	Per: http://www.springsource.com/security/cve-2009-2907 'Mitigation: * Hyperic HQ Open Source users should upgrade to Hyperic HQ 4.2.x * Hyperic HQ 4.0 Enterprise users should upgrade to 4.2.x or 4.0.3.2 * Hyperic HQ 4.1 Enterprise users should upgrade to 4.2.x or 4.1.2.1 * Users of any earlier Enterprise version should upgrade to 4.2.x * AMS users should upgrade to 2.0.0.SR4 * tc Server users should upgrade to AMS 2.0.0.SR4 To protect against this issue until systems have been upgraded and/or patches have been applied, system administrators should ensure untrusted users do not have the necessary privileges to create alerts.'
Publication Date	March 25, 2010, 7:45 a.m.
Registration Date	Jan. 29, 2021, 1:22 p.m.
Last Update	March 25, 2010, 1 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:springsource:application_management_suite::sr3::::::*		2.0.0
cpe:2.3:a:springsource:hyperic_hq::::::::		4.0.0
cpe:2.3:a:springsource:hyperic_hq::::::::		4.1.0
cpe:2.3:a:springsource:hyperic_hq::beta_1::::::*		4.2
cpe:2.3:a:springsource:tc_server::b::::::*		6.0.20

Related information, measures and tools

No	URL	refsource	タグ
1	http://www.securityfocus.com/bid/38913	BID	Exploit
2	http://www.springsource.com/security/cve-2009-2907	CONFIRM	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html