HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Top Five Web Application Vulnerabilities 8/17/09 - 8/30/09

1) Adobe Flex SDK 'index.template.html' Cross Site Scripting Vulnerability

Adobe Flex SDK is susceptible to a Cross-Site Scripting vulnerability. This can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials in context of a web application built using the SDK. Updates which resolve this issue are available. Contact the vendor for additional information.


2)Adobe ColdFusion Multiple Vulnerabilities

Adobe ColdFusion is susceptible to multiple vulnerabilities including instances of Cross-Site Scripting, HTML Injection, session fixation, and information disclosure. Victims can have their session hijacked and give an attacker unauthorized access to the application. Other possible attacks include having content added into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. The information disclosure vulnerability could also reveal sensitive information which could  lead to more damaging attacks. Updates which address each of these vulnerabilities are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/36046 (HTML Injection)
http://www.securityfocus.com/bid/36096  (Double-Encoded NULL Character Information Disclosure)
http://www.securityfocus.com/bid/36056  (Cross Site Scripting)
http://www.securityfocus.com/bid/36053 (Multiple Cross-Site Scripting)
http://www.securityfocus.com/bid/36054 (Session Fixation)

3) Adobe JRun Multiple Unspecified Cross-Site Scripting Vulnerabilities

Adobe Jrun is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this issue are available. Contact the vendor for more details.


4)  IBM WebSphere Commerce Unspecified Information Disclosure Vulnerability

IBM WebSphere Commerce is susceptible to an information disclosure vulnerability.  An attacker can gather sensitive information, possibly leading to brute-force attacks against user accounts. Updates which resolve this vulnerability are available. Contact the vendor for further information.


5) Xerox WorkCentre Web Services Extensible Interface Platform Unauthorized Access Vulnerability

Xerox WorkCentre is susceptible to a unauthorized access vulnerability. An attacker can leverage this vulnerability to access the device’s configuration settings and possibly acquire customer passwords. An advisory and patch which resolves this issue have been released. Contact the vendor for additional details.


Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.