CVE-2011-3606

A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.

Published: Nov 26, 2019
Updated: Apr 13, 2023
CVE: CVE-2011-3606
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
redhat / jboss_application_server	7.0.0	7.0.0.x
redhat / jboss_application_server	7.0.1	7.0.1.x
redhat / jboss_application_server	7.0.2	7.0.2.x
redhat / jboss_application_server	7.0.0-alpha1	7.0.0-alpha1.x
redhat / jboss_application_server	7.0.0-beta1	7.0.0-beta1.x
redhat / jboss_application_server	7.0.0-beta2	7.0.0-beta2.x
redhat / jboss_application_server	7.0.0-beta3	7.0.0-beta3.x
redhat / jboss_application_server	7.0.0-cr1	7.0.0-cr1.x

Vulnerability Database

289,599

CVE-2011-3606