Title: Macromedia Sitespring Default Error Page Cross Site Scripting Vulnerability
Severity: HIGH
Description:
Macromedia Sitespring is a J2EE-compliant product for managing website production. The Macromedia Sitespring server runs on Microsoft Windows operating systems.
A cross-site scripting issue has been reported in the default error page used by Sitespring. When an HTTP 500 error is returned, some user-supplied data is included in the generated HTML. Since this data isn't properly sanitized, an attacker may be able to include arbitrary HTML, including JavaScript.
An attacker may create a malicious link to a vulnerable site, including arbitrary JavaScript commands. If a user of the site is enticed into following this link, the malicious script code will execute within the context of the Sitespring site. Script code may take actions as an authenticated user or may disclose sensitive information to an attacker, including cookie data.
Affected Products:
- Macromedia Sitespring 1.2.0 .0
References:
- Macromedia: Sitespring Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
