Detections
Analytics

CVE-2009-2897

medium

Description

Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/GenericError.jsp in the generic exception handler in the web interface in SpringSource Hyperic HQ 3.2.x before 3.2.6.1, 4.0.x before 4.0.3.1, 4.1.x before 4.1.2.1, and 4.2-beta1; Application Management Suite (AMS) 2.0.0.SR3; and tc Server 6.0.20.B allow remote attackers to inject arbitrary web script or HTML via invalid values for numerical parameters, as demonstrated by an uncaught java.lang.NumberFormatException exception resulting from (1) the typeId parameter to mastheadAttach.do, (2) the eid parameter to Resource.do, and (3) the u parameter in a view action to admin/user/UserAdmin.do. NOTE: some of these details are obtained from third party information.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/53658

http://www.springsource.com/security/hyperic-hq

http://www.securityfocus.com/archive/1/506936/100/0/threaded

http://www.securityfocus.com/archive/1/506935/100/0/threaded

http://www.osvdb.org/58610

http://www.osvdb.org/58609

http://www.osvdb.org/58608

http://secunia.com/advisories/36935

http://forums.hyperic.com/jiveforums/thread.jspa?messageID=22156&#22156

Details

Source: Mitre, NVD

Published: 2009-10-13

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00666