Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-3731

Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.

Published

2009-12-16T18:30:00.297

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	webworks	epublisher	9.0	Yes
Application	webworks	epublisher	9.1	Yes
Application	webworks	epublisher	9.2	Yes
Application	webworks	epublisher	9.3	Yes
Application	webworks	epublisher	2008.1	Yes
Application	webworks	epublisher	2008.2	Yes
Application	webworks	epublisher	2008.3	Yes
Application	webworks	epublisher	2008.4	Yes
Application	webworks	epublisher	2009.1	Yes
Application	webworks	epublisher	2009.2	Yes
Application	webworks	help	2.0	Yes
Application	webworks	help	3.0	Yes
Application	webworks	help	4.0	Yes
Application	webworks	help	5.0	Yes
Application	webworks	publisher	6.0	Yes
Application	webworks	publisher	7.0	Yes
Application	webworks	publisher	8.0	Yes
Application	webworks	publisher	2003	Yes
Application	vmware	vcenter	4.0	Yes
Operating System	microsoft	windows	*	No
Application	vmware	esx_server	4.0	Yes
Application	vmware	lab_manager	2.0	Yes
Application	vmware	server	2.0.2	Yes
Application	vmware	stage_manager	≤ 4.0	Yes
Application	vmware	stage_manager	1.0	Yes
Application	vmware	vcenter_lab_manager	3.0	Yes
Application	vmware	vcenter_lab_manager	3.0.1	Yes
Application	vmware	vcenter_lab_manager	3.0.2	Yes
Application	vmware	vcenter_lab_manager	4.0	Yes
Application	vmware	vcenter_stage_manager	1.0.1	Yes

References

http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html ([email protected])
http://lists.vmware.com/pipermail/security-announce/2009/000073.html Vendor Advisory ([email protected])
http://secunia.com/advisories/38749 ([email protected])
http://secunia.com/advisories/38842 ([email protected])
http://securitytracker.com/id?1023683 ([email protected])
http://www.osvdb.org/62738 ([email protected])
http://www.osvdb.org/62739 ([email protected])
http://www.osvdb.org/62740 ([email protected])
http://www.osvdb.org/62741 ([email protected])
http://www.osvdb.org/62742 ([email protected])
http://www.securityfocus.com/archive/1/509883/100/0/threaded ([email protected])
http://www.securityfocus.com/bid/37346 Patch ([email protected])
http://www.webworks.com/Security/2009-0001/ Patch, Vendor Advisory ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944 ([email protected])
http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.vmware.com/pipermail/security-announce/2009/000073.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/38749 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/38842 (af854a3a-2127-422b-91ae-364da2661108)
http://securitytracker.com/id?1023683 (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/62738 (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/62739 (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/62740 (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/62741 (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/62742 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/509883/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/37346 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.webworks.com/Security/2009-0001/ Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944 (af854a3a-2127-422b-91ae-364da2661108)