Unrated severityNVD Advisory· Published Oct 13, 2009· Updated Apr 23, 2026

CVE-2009-2897

Description

Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/GenericError.jsp in the generic exception handler in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x before 4.0.3.1, 4.1.x before 4.1.2.1, and 4.2-beta1; Application Management Suite (AMS) 2.0.0.SR3; and tc Server 6.0.20.B allow remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters, as demonstrated by an uncaught java.lang.NumberFormatException exception resulting from (1) the typeId parameter to mastheadAttach.do, (2) the eid parameter to Resource.do, and (3) the u parameter in a view action to admin/user/UserAdmin.do. NOTE: some of these details are obtained from third party information.

Affected products

Springsource/Application Management Suite
cpe:2.3:a:springsource:application_management_suite:2.0.0:sr3:*:*:*:*:*:*
Springsource/Hyperic Hq16 versions
cpe:2.3:a:springsource:hyperic_hq:3.2.0:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:springsource:hyperic_hq:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:3.2:beta_1:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:hyperic_hq:4.2:beta_1:*:*:*:*:*:*
Springsource/Tc Server
cpe:2.3:a:springsource:tc_server:6.0.20:b:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.springsource.com/security/hyperic-hqnvdPatchVendor Advisory
corelabs.coresecurity.com/index.phpnvdExploitPatch
jira.hyperic.com/browse/HHQ-2655nvdExploit
www.coresecurity.com/content/hyperic-hq-vulnerabilitiesnvdExploitPatch
secunia.com/advisories/36935nvdVendor Advisory
forums.hyperic.com/jiveforums/thread.jspanvd
www.osvdb.org/58608nvd
www.osvdb.org/58609nvd
www.osvdb.org/58610nvd
www.securityfocus.com/archive/1/506935/100/0/threadednvd
www.securityfocus.com/archive/1/506936/100/0/threadednvd
exchange.xforce.ibmcloud.com/vulnerabilities/53658nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000