Note: This is an archival copy of Security Sun Alert 239308 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019409.1.
Article ID : 1019409.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-06
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Cross Site Scripting (XSS) Vulnerability in Sun Java System Portal Server's Portlets may Lead to Execution of Arbitrary Code



Category
Security

Release Phase
Resolved

Bug Id
6679004

Product
Sun Java System Portal Server 7.0
Sun Java System Portal Server 7.1

Date of Resolved Release
15-Aug-2008

A Cross Site Scripting (XSS) security vulnerability exists in some of the Portlets bundled with Sun Java System Portal Server (see below for details)

1. Impact

A Cross Site Scripting (XSS) security vulnerability exists in some of the Portlets bundled with Sun Java System Portal Server that may allow remote users to execute arbitrary JavaScript code in a user's web browser.

2. Contributing Factors


This issue can occur in the following releases:

SPARC Platform
  • Sun Java System Portal Server 7.1 (for Solaris 8, 9 and 10) without patch 124301-10
  • Sun Java System Portal Server 7.0 (for Solaris 8, 9 and 10) without patch 121913-19
x86 Platform
  • Sun Java System Portal Server 7.1 (for Solaris 8, 9 and 10) without patch 124302-10
  • Sun Java System Portal Server 7.0 (for Solaris 8, 9 and 10) without patch 121914-19
Linux Platform
  • Sun Java System Portal Server 7.1 without patch 124303-11
  • Sun Java System Portal Server 7.0 without patch 121915-19
To determine the version of Sun Java System Portal Server Software installed on a system, the following command can be run:

   # <PS_INSTALL_DIR>/bin/psadmin version -u amadmin -f passwordFile
    Fri Aug 20 07:37:07 PDT 2008 Sun Java(tm) System Portal Server 7.1


Note: Portal Server Software versions 6.3.1 or earlier and  version 7.2  are not impacted by this issue.

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Workaround

There is no workaround for this issue. Please see the Resolution section below.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Sun Java System Portal Server 7.1 (for Solaris 8, 9 and 10) with patch 124301-10 or later
  • Sun Java System Portal Server 7.0 (for Solaris 8, 9 and 10) with patch 121913-19 or later
x86 Platform
  • Sun Java System Portal Server 7.1 (for Solaris 8, 9 and 10) with patch 124302-10 or later
  • Sun Java System Portal Server 7.0 (for Solaris 8, 9 and 10) with patch 121914-19 or later
Linux Platform
  • Sun Java System Portal Server 7.1 with patch 124303-11 or later
  • Sun Java System Portal Server 7.0 with patch 121915-19 or later

For more information on Security Sun Alerts, see .


References

SUNPATCH:121913-19
SUNPATCH:121914-19
SUNPATCH:121915-19
SUNPATCH:124301-10
SUNPATCH:124302-10
SUNPATCH:124303-11



Attachments
This solution has no attachment