FKIE_CVE-2009-3731

Vulnerability from fkie_nvd - Published: 2009-12-16 18:30 - Updated: 2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.
References
cve@mitre.orghttp://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html
cve@mitre.orghttp://lists.vmware.com/pipermail/security-announce/2009/000073.htmlVendor Advisory
cve@mitre.orghttp://secunia.com/advisories/38749
cve@mitre.orghttp://secunia.com/advisories/38842
cve@mitre.orghttp://securitytracker.com/id?1023683
cve@mitre.orghttp://www.osvdb.org/62738
cve@mitre.orghttp://www.osvdb.org/62739
cve@mitre.orghttp://www.osvdb.org/62740
cve@mitre.orghttp://www.osvdb.org/62741
cve@mitre.orghttp://www.osvdb.org/62742
cve@mitre.orghttp://www.securityfocus.com/archive/1/509883/100/0/threaded
cve@mitre.orghttp://www.securityfocus.com/bid/37346Patch
cve@mitre.orghttp://www.webworks.com/Security/2009-0001/Patch, Vendor Advisory
cve@mitre.orghttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944
af854a3a-2127-422b-91ae-364da2661108http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html
af854a3a-2127-422b-91ae-364da2661108http://lists.vmware.com/pipermail/security-announce/2009/000073.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/38749
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/38842
af854a3a-2127-422b-91ae-364da2661108http://securitytracker.com/id?1023683
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/62738
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/62739
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/62740
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/62741
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/62742
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/509883/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/37346Patch
af854a3a-2127-422b-91ae-364da2661108http://www.webworks.com/Security/2009-0001/Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944
Impacted products
Vendor Product Version
webworks epublisher 9.0
webworks epublisher 9.1
webworks epublisher 9.2
webworks epublisher 9.3
webworks epublisher 2008.1
webworks epublisher 2008.2
webworks epublisher 2008.3
webworks epublisher 2008.4
webworks epublisher 2009.1
webworks epublisher 2009.2
webworks help 2.0
webworks help 3.0
webworks help 4.0
webworks help 5.0
webworks publisher 6.0
webworks publisher 7.0
webworks publisher 8.0
webworks publisher 2003
vmware vcenter 4.0
microsoft windows *
vmware esx_server 4.0
vmware lab_manager 2.0
vmware server 2.0.2
vmware stage_manager *
vmware stage_manager 1.0
vmware vcenter_lab_manager 3.0
vmware vcenter_lab_manager 3.0.1
vmware vcenter_lab_manager 3.0.2
vmware vcenter_lab_manager 4.0
vmware vcenter_stage_manager 1.0.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0152043F-D767-431B-ADCF-154C43F3FB23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "63A601BB-625C-41AD-888D-A8FC43621E92",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "477AD476-65A3-4901-8A51-0EC4BD1407D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:9.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4B5DDB8-B5F9-4F5A-8CA6-457EAC55C940",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:2008.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1F3B683-43E8-47E1-A156-B8B5B78F140E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:2008.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A80FBF8-39B1-485F-83F6-48E1AE50E15C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:2008.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "328F3A49-3A14-486F-82C5-BD3CBF91C4CC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:2008.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "984EAE97-3457-4ED7-AB2C-88CDFADCEDCD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:2009.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "951EB18F-72AD-4984-8521-A241B51532D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:epublisher:2009.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "663DA7E2-02D8-4EDE-8BD9-55D318C80261",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:help:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B3C61DC8-4E65-4DDE-8718-BD55EF293F50",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:help:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8CFAF1F7-0F12-483A-AAF6-A186B96089A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:help:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D4F0F35-2597-4350-BF95-9B289C6B5BAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:help:5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F0E0770-2B8E-4F34-B311-572546DF42C8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:publisher:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "18F068C7-4ACB-40ED-BCFC-D9ABC531FD88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:publisher:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B072DD95-C59E-40BB-A037-3044E8C5A928",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:publisher:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "20AC0582-144C-4A65-A0EC-333819958D10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:webworks:publisher:2003:*:*:*:*:*:*:*",
              "matchCriteriaId": "2BB09974-DE62-4C4C-8AC5-84E5FED80341",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vmware:vcenter:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "60B31894-78E7-41A6-857C-D7A0C1C52838",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vmware:esx_server:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "25395564-5FFF-40BC-BE82-21FA9214EBE8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:lab_manager:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "35E0F13A-6576-4388-B382-9EF6F5C340C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:server:2.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E565F23-AEEE-41A4-80EC-01961AD5560E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:stage_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F98A2B29-348C-4142-8D86-89E7FD3531AB",
              "versionEndIncluding": "4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:stage_manager:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "21FBEF2D-D9E0-47D5-9B36-6D0049C51A67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:vcenter_lab_manager:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0BD3006F-B84C-43C8-B451-64ECBF6A3656",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:vcenter_lab_manager:3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A9E308D2-12B1-411D-B4AC-8F6CE964A951",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:vcenter_lab_manager:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6985CAE9-0FB0-4D5E-A227-010B09A5EE0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:vcenter_lab_manager:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BAE62CE8-9951-472F-AFD3-6858B2E6FB1F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:vcenter_stage_manager:1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AB621E8-4E4B-410A-B57B-1B788442ED3F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en WebWorks Help v2.0 a la v5.0 en VMware vCenter v4.0 anterior a Update 1 Build 208156; VMware Server v2.0.2; VMware ESX v4.0; VMware Lab Manager v2.x; VMware vCenter Lab Manager v3.x y v4.x anterior a v4.0.1; VMware Stage Manager v1.x anterior a v4.0.1; WebWorks Publisher v6.x a la v8.x; WebWorks Publisher 2003; y WebWorks ePublisher v9.0.x a la v9.3, 2008.1 a la 2008.4, y 2009.x anterior a 2009.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n  a trav\u00e9s de (1) wwhelp_entry.html alcanzable a trav\u00e9s d index.html y wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, o (5) el componente window.opener en wwhelp/wwhimpl/common/html/bookmark.htm, relacionado con (a) par\u00e1metros desconocidos y (b) mensajes usados en los enlaces de \"topic\" para la funcionalidad de marcadores."
    }
  ],
  "id": "CVE-2009-3731",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2009-12-16T18:30:00.297",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://lists.vmware.com/pipermail/security-announce/2009/000073.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/38749"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/38842"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securitytracker.com/id?1023683"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/62738"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/62739"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/62740"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/62741"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/62742"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/509883/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/37346"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.webworks.com/Security/2009-0001/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://lists.vmware.com/pipermail/security-announce/2009/000073.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/38749"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/38842"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securitytracker.com/id?1023683"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/62738"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/62739"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/62740"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/62741"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/62742"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/509883/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/37346"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.webworks.com/Security/2009-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.