CVE-2009-1380
Description
Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 allows remote attackers to inject arbitrary web script or HTML via the filter parameter, related to the key property and the position of quote and colon characters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting (XSS) flaw in the JMX-Console of Red Hat JBoss EAP 4.2 and 4.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter, due to improper encoding of quote and colon characters.
Vulnerability
The JMX-Console component in Red Hat JBoss Enterprise Application Platform (JBoss EAP) 4.2 before version 4.2.0.CP08 and 4.3 before version 4.3.0.CP07 contains a cross-site scripting (XSS) vulnerability. The flaw exists in the handling of the filter parameter: the console fails to properly encode quote characters when they appear after a colon in the key property, allowing injection of arbitrary HTML or script [2].
Exploitation
An attacker with network access to the JMX-Console web interface can exploit this vulnerability by crafting a malicious URL containing a specially crafted filter parameter. No authentication is required. The attacker sends a request with an XSS payload that is not properly escaped, resulting in execution of the injected script in the context of the victim's browser session [2].
Impact
Successful exploitation allows an attacker to execute arbitrary web script or HTML in the user's browser. This can lead to session hijacking, information disclosure, or unauthorized actions performed on behalf of an authenticated user accessing the JMX-Console [2].
Mitigation
Red Hat has released fixes for this issue as part of the following errata: RHSA-2009:1636 (JBoss EAP 4.3.0 for RHEL 4), RHSA-2009:1637 (JBoss EAP 4.2.0 for RHEL 4), RHSA-2009:1649 (JBoss EAP 4.3.0 for RHEL 5), and RHSA-2009:1650 (JBoss EAP 4.2.0 for RHEL 5) [1][2]. Users should upgrade to the patched versions (4.2.0.CP08 or 4.3.0.CP07 or later). No workarounds are documented.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp01:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp01:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp02:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp03:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp04:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp05:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp06:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp07:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp01:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp02:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp03:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp01:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp02:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp03:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp04:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3:cp01:*:*:*:*:*:*
- (no CPE)range: < 4.2.0.CP08 and < 4.3.0.CP07
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- bugzilla.redhat.com/show_bug.cginvdPatch
- secunia.com/advisories/37671nvdVendor Advisory
- rhn.redhat.com/errata/RHSA-2009-1636.htmlnvdVendor Advisory
- rhn.redhat.com/errata/RHSA-2009-1649.htmlnvdVendor Advisory
- rhn.redhat.com/errata/RHSA-2009-1650.htmlnvdVendor Advisory
- securitytracker.com/idnvd
- www.securityfocus.com/bid/37276nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/54698nvd
- jira.jboss.org/jira/browse/JBPAPP-1983nvd
- rhn.redhat.com/errata/RHSA-2009-1637.htmlnvd
News mentions
0No linked articles in our index yet.