Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-0038

CWE-79Cross-site Scripting (XSS)7 documents6 sources
Severity
4.3MEDIUM
EPSS
23.7%
top 4.01%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Geronimo
Timeline
PublishedApr 17
Latest updateMay 2

Description

Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDapache/geronimo4 versions+3

Patches

Patch: geronimo.apache.orgPatch: issues.apache.orgPatch: geronimo.apache.org

🔴Vulnerability Details

3
OSV
Apache Geronimo Application Server multiple cross-site scripting (XSS) vulnerabilities2022-05-02
GHSA
Apache Geronimo Application Server multiple cross-site scripting (XSS) vulnerabilities2022-05-02
CVEList
CVE-2009-0038: Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 22009-04-17

💥Exploits & PoCs

2
Exploit-DB
Apache Geronimo 2.1.x - '/console/portal/Server/Monitoring' Multiple Cross-Site Scripting Vulnerabilities2009-04-16
Exploit-DB
Apache Geronimo 2.1.x - '/console/portal/' URI Cross-Site Scripting2009-04-16

💬Community

1
Bugzilla
CVE-2009-3956 acroread: script injection vulnerability (APSB10-02)2010-01-11
CVE-2009-0038 (MEDIUM CVSS 4.3) | Multiple cross-site scripting (XSS) | cvebase.io