This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.
The remote web server includes at least one JSP application that is
affected by a cross-site scripting vulnerability.
The remote web server uses Orion Application Server, an application
server hosted on a Java2 platform.
It currently makes available at least one example JSP application that
fails to sanitize user-supplied input before using it to generate
dynamic HTML output. Specifically, the 'item' parameter of the
'examples/jsp/sessions/carts.jsp' script, the 'fruit' parameter of
'examples/jsp/checkbox/checkresult.jsp' script, and the 'time'
parameter of the 'examples/jsp/cal/cal2.jsp' script are known to be
affected. An attacker may be able to leverage this to inject
arbitrary HTML and script code into a user's browser to be executed
within the security context of the affected site.
See also :
Undeploy the web examples distributed with Orion.
Risk factor :
Medium / CVSS Base Score : 4.3