Orion Application Server Web Examples Multiple XSS

This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.

Synopsis :

The remote web server includes at least one JSP application that is
affected by a cross-site scripting vulnerability.

Description :

The remote web server uses Orion Application Server, an application
server hosted on a Java2 platform.

It currently makes available at least one example JSP application that
fails to sanitize user-supplied input before using it to generate
dynamic HTML output. Specifically, the 'item' parameter of the
'examples/jsp/sessions/carts.jsp' script, the 'fruit' parameter of
'examples/jsp/checkbox/checkresult.jsp' script, and the 'time'
parameter of the 'examples/jsp/cal/cal2.jsp' script are known to be
affected. An attacker may be able to leverage this to inject
arbitrary HTML and script code into a user's browser to be executed
within the security context of the affected site.

See also :


Solution :

Undeploy the web examples distributed with Orion.

Risk factor :

Medium / CVSS Base Score : 4.3

Family: CGI abuses : XSS

Nessus Plugin ID: 40985 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now