CVE-2009-2405
Description
Multiple cross-site scripting (XSS) vulnerabilities in the Web Console in the Application Server in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08, 4.2.2GA, 4.3 before 4.3.0.CP07, and 5.1.0GA allow remote attackers to inject arbitrary web script or HTML via the (1) monitorName, (2) objectName, (3) attribute, or (4) period parameter to createSnapshot.jsp, or the (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9) period, or (10) enabled parameter to createThresholdMonitor.jsp. NOTE: some of these details are obtained from third party information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in JBoss EAP Web Console through unsanitized parameters in createSnapshot.jsp and createThresholdMonitor.jsp.
Vulnerability
Multiple reflected cross-site scripting (XSS) vulnerabilities exist in the Web Console of the Application Server in Red Hat JBoss Enterprise Application Platform (JBoss EAP) versions 4.2.0 before 4.2.0.CP08, 4.2.2GA, 4.3 before 4.3.0.CP07, and 5.1.0GA. The affected pages are createSnapshot.jsp and createThresholdMonitor.jsp. Input passed to the parameters monitorName, objectName, attribute, period, threshold, and enabled is not sanitized before being returned to the user, allowing injection of arbitrary HTML and script code [1][2].
Exploitation
An attacker must convince a victim who is logged into the JBoss Web Console to visit a crafted URL containing malicious JavaScript in one of the vulnerable parameters. No authentication is required on the part of the attacker, but the victim must have an active session with the Web Console. The attack is reflected—the malicious payload is not stored on the server but is immediately reflected back in the HTTP response. Initial patches did not cover all injection vectors (e.g., " onmouseover=alert(1) ), requiring revisions [2].
Impact
Successful exploitation allows arbitrary script execution in the victim's browser within the security context of the JBoss Web Console. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability does not provide direct server-side access, but it compromises the user's session and data confidentiality/integrity within the Web Console [1][2].
Mitigation
Red Hat released updates in RHSA-2009:1649 for JBoss EAP 4.2.0 CP08, 4.3.0 CP07, and later versions. For JBoss EAP 5.1.0GA, an upgrade to a patched release (e.g., 5.1.1GA) or applying the vendor-provided patch is required. Workarounds include restricting network access to the Web Console or disabling it if not needed. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp01:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp02:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp03:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp04:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp05:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp06:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp07:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.2:ga:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp01:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp02:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp03:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp01:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp02:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp03:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp04:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3:cp01:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:ga:*:*:*:*:*:*
- (no CPE)range: 4.2.0 before 4.2.0.CP08, 4.2.2GA, 4.3 before 4.3.0.CP07, 5.1.0GA
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- bugzilla.redhat.com/show_bug.cginvdPatch
- rhn.redhat.com/errata/RHSA-2009-1636.htmlnvdPatch
- rhn.redhat.com/errata/RHSA-2009-1637.htmlnvdPatch
- rhn.redhat.com/errata/RHSA-2009-1649.htmlnvdPatch
- rhn.redhat.com/errata/RHSA-2009-1650.htmlnvdPatch
- secunia.com/advisories/35680nvdVendor Advisory
- secunia.com/advisories/37671nvdVendor Advisory
- securitytracker.com/idnvd
- www.osvdb.org/60898nvd
- www.osvdb.org/60899nvd
- www.securityfocus.com/bid/37276nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/54700nvd
- jira.jboss.org/jira/browse/JBAS-7105nvd
- jira.jboss.org/jira/browse/JBPAPP-2274nvd
- jira.jboss.org/jira/browse/JBPAPP-2284nvd
News mentions
0No linked articles in our index yet.