Apache Tomcat / Geronimo Sample Script cal2.jsp time Parameter XSS
Medium Nessus Plugin ID 20738
SynopsisThe remote web server contains a JSP application that is prone to a cross-site scripting flaw.
DescriptionThe remote host appears to be running Geronimo, an open source J2EE server from the Apache Software Foundation.
The version of Geronimo installed on the remote host includes a JSP application that fails to sanitize user-supplied input to the 'time' parameter before using it to generate a dynamic webpage. An attacker can exploit this flaw to cause arbitrary HTML and script code to be executed in a user's browser within the context of the affected web site.
SolutionUninstall the example applications or upgrade to Geronimo version 1.0.1 or later.