VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 23, 2009· Updated Apr 23, 2026

CVE-2009-4052

CVE-2009-4052

Description

Multiple cross-site scripting (XSS) vulnerabilities in the JSF Widget Library Runtime in IBM Rational Application Developer for WebSphere Software before 7.0.0.10 and Rational Software Architect before 7.0.0.10 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) the JSF Tree Control and (2) the JavaScript Resource Servlet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Rational Application Developer and Rational Software Architect before 7.0.0.10 contain XSS vulnerabilities in the JSF Tree Control and JavaScript Resource Servlet.

Vulnerability

The JSF Widget Library Runtime in IBM Rational Application Developer for WebSphere Software and Rational Software Architect, both prior to version 7.0.0.10, contains two cross-site scripting (XSS) vulnerabilities. The first involves the JSF Tree Control (PK90616) and the second involves the JavaScript Resource Servlet (PK94324) [1][2][3]. The JavaScript Resource Servlet does not validate the locale identifier parameter, allowing an attacker to inject arbitrary JavaScript [2]. The JSF Tree Control also fails to properly validate or escape certain input, leading to XSS [3].

Exploitation

An attacker can exploit these vulnerabilities by crafting a malicious URL that includes a specially crafted locale parameter or other input passed to the JSF Tree Control or the JavaScript Resource Servlet. The attacker does not require any authentication or prior access; the victim needs only to visit a crafted link or page controlled by the attacker [3]. The XSS payload is then executed in the context of the application's domain [2][3].

Impact

Successful exploitation allows a remote attacker to inject arbitrary web script or HTML, leading to potential information disclosure, session hijacking, or other client-side attacks [3]. The impact is limited to the affected application's context and user sessions.

Mitigation

IBM has released Rational Application Developer V7.0.0.10, which includes fixes for both vulnerabilities (APAR PK90616 and PK94324) [2][3]. Users should upgrade to version 7.0.0.10 or later. If upgrading is not immediately possible, consider restricting access to the vulnerable servlets and controls through network filtering or application-level security measures.

References
  1. Fix list for Rational Application Developer for WebSphere Software version 7.0
  2. PK94324: Javascript injection vulnerability in JavaScript Resource Servle t
  3. PK90616: Cross-site vulnerability reported against the JSF Tree Control

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

22
  • IBM/Rational Application Developer For Websphere11 versions
    cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0:*:*:*:*:*:*:*+ 10 more
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_application_developer_for_websphere:7.0.0.9:*:*:*:*:*:*:*
    • (no CPE)range: <7.0.0.10
  • IBM/Rational Software Architect11 versions
    cpe:2.3:a:ibm:rational_software_architect:7.0.0.0:*:*:*:*:*:*:*+ 10 more
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:rational_software_architect:7.0.0.9:*:*:*:*:*:*:*
    • (no CPE)range: <7.0.0.10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.