Note: This is an archival copy of Security Sun Alert 200314 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000238.1.
Date of Resolved Release
Due to this cross-site scripting vulnerability, users may unintentionally execute scripts in their browser written by a remote unprivileged user if they follow untrusted links/URIs in web pages, mail messages, or newsgroup postings. By following these untrusted links/URIs, the remote attacker may be able to execute commands with the privileges of the user who accessed the link/URI.
Sun acknowledges with thanks, Eric Hobbs from MagnaWare, for bringing this issue to our attention.
Additional information about cross-site scripting and web script vulnerabilities can be found at the following URLs:
This issue can occur in the following releases for all platforms:
Note: Sun Java System Application Server 8 2005Q1 and Sun Java System Application Server 8 (Platform Edition) are not affected.
There are no reliable symptoms that would indicate the described issue has been exploited.
There is no workaround. Please see the "Resolution" section below.
This issue is addressed in the following releases:
Sun Java System Application Server 7 Standard Edition, Update 6 is available for download at http://www.sun.com/download/products.xml?id=41c239a4
Sun Java System Application Server 7 Platform Edition, Update 6 is available for download at http://www.sun.com/download/products.xml?id=41c374e2
Sun Java System Application Server 7 2004Q2 Standard Edition, Update 2 is available for download at http://www.sun.com/download/products.xml?id=41e32dfb
For the Sun Java System Application Server 7 2004Q2 Enterprise Edition, Update 2, please see the Sun Online Support Center at https://osc-amer.sun.com/OSCSW/svcportal?pageName=clselection
Sun Java System Application Server Platform Edition 8
This solution has no attachment