CVE-2009-0026
published 2009-01-21CVE-2009-0026: Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q…
PriorityP429medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
21.63%
97.3th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Jackrabbit contains Cross-site Scripting
ghsa·2022-05-02
CVE-2009-0026 [MEDIUM] CWE-79 Apache Jackrabbit contains Cross-site Scripting
Apache Jackrabbit contains Cross-site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
OSV
Apache Jackrabbit contains Cross-site Scripting
osv·2022-05-02
CVE-2009-0026 [MEDIUM] Apache Jackrabbit contains Cross-site Scripting
Apache Jackrabbit contains Cross-site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
Red Hat
JackRabbit XSS in examples
vendor_redhat·2009-01-20·CVSS 4.3
CVE-2009-0026 [MEDIUM] CWE-79 JackRabbit XSS in examples
JackRabbit XSS in examples
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
No detection rules found.
Exploit-DB
Apache JackRabbit 1.4/1.5 Content Repository (JCR) - 'swr.jsp?q' Cross-Site Scripting
exploitdb·2009-01-20
CVE-2009-0026 Apache JackRabbit 1.4/1.5 Content Repository (JCR) - 'swr.jsp?q' Cross-Site Scripting
Apache JackRabbit 1.4/1.5 Content Repository (JCR) - 'swr.jsp?q' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/33360/info
Apache Jackrabbit is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Apache Jackrabbit 1.5.2 are vulnerable.
http://www.example.com/swr.jsp?q=%25"alert(1)&swrnum=1
Exploit-DB
Apache JackRabbit 1.4/1.5 Content Repository (JCR) - 'search.jsp?q' Cross-Site Scripting
exploitdb·2009-01-20
CVE-2009-0026 Apache JackRabbit 1.4/1.5 Content Repository (JCR) - 'search.jsp?q' Cross-Site Scripting
Apache JackRabbit 1.4/1.5 Content Repository (JCR) - 'search.jsp?q' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/33360/info
Apache Jackrabbit is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Apache Jackrabbit 1.5.2 are vulnerable.
http://www.example.com/search.jsp?q=%25%22%3Cscript%3Ealert(1)%3C/script%3E
Bugzilla
Moodle: Multiple security fixes in 1.9.7 and 1.8.11 upstream releases
bugzilla·2009-12-06·CVSS 6.8
CVE-2009-4297 [MEDIUM] Moodle: Multiple security fixes in 1.9.7 and 1.8.11 upstream releases
Moodle: Multiple security fixes in 1.9.7 and 1.8.11 upstream releases
Moodle upstream has released latest stable versions (1.9.7 and 1.8.11),
fixing multiple security issues.
The list for 1.9.7 release:
Security issues
* MSA-09-0022 - CVE-2009-4297 Multiple CSRF problems fixed
* MSA-09-0023 - CVE-2009-4298 Fixed user account disclosure in LAMS module
* MSA-09-0024 - CVE-2009-4299 Fixed insufficient access control in
Glossary module
* MSA-09-0025 - CVE-2009-4300 Unneeded MD5 hashes removed from user table
* MSA-09-0026 - CVE-2009-4301 Fixed invalid application access control
in MNET interface
* MSA-09-0027 - CVE-2009-4302 Ensured login information is always sent
secured when using SSL for logins
* MSA-09-0028 - CVE-2009-4303 Passwords and secrets are no longer ever
saved in backups, new
Bugzilla
CVE-2009-0026 JackRabbit XSS in examples
bugzilla·2009-01-22·CVSS 4.3
CVE-2009-0026 [MEDIUM] CVE-2009-0026 JackRabbit XSS in examples
CVE-2009-0026 JackRabbit XSS in examples
Multiple cross-site scripting (XSS) vulnerabilities in Apache
Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web
script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
Fixed in version 1.5.2:
http://www.securityfocus.com/archive/1/archive/1/500196/100/0/threaded
Details:
https://issues.apache.org/jira/browse/JCR-1925
Discussion:
We do not ship anything with this old version anymore.
http://secunia.com/advisories/33576http://securityreason.com/securityalert/4942http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txthttp://www.securityfocus.com/archive/1/500196/100/0/threadedhttp://www.securityfocus.com/bid/33360http://www.vupen.com/english/advisories/2009/0177https://exchange.xforce.ibmcloud.com/vulnerabilities/48110https://issues.apache.org/jira/browse/JCR-1925http://secunia.com/advisories/33576http://securityreason.com/securityalert/4942http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txthttp://www.securityfocus.com/archive/1/500196/100/0/threadedhttp://www.securityfocus.com/bid/33360http://www.vupen.com/english/advisories/2009/0177https://exchange.xforce.ibmcloud.com/vulnerabilities/48110https://issues.apache.org/jira/browse/JCR-1925
2009-01-21
Published