製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の VMware 製品におけるクロスサイトスクリプティングの脆弱性

Title	複数の VMware 製品におけるクロスサイトスクリプティングの脆弱性
Summary	複数の VMware 製品には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 15, 2009, midnight
Registration Date	Feb. 1, 2010, 11:52 a.m.
Last Update	Feb. 1, 2010, 11:52 a.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

VMware

VMware ESX 4.0

VMware Lab Manager

VMware Server 2.0.2

VMware Stage Manager

VMware vCenter 4.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-3731	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731
National Vulnerability Database (NVD)
2	CVE-2009-3731	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3731

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
VMware Security Advisories
1	VMSA-2009-0017	http://www.vmware.com/security/advisories/VMSA-2009-0017.html

その他

No	Name	URL
Secunia Advisory
1	SA37692	http://secunia.com/advisories/37692
SecurityFocus
2	37346	http://www.securityfocus.com/bid/37346
VUPEN Security
3	VUPEN/ADV-2009-3551	http://www.vupen.com/english/advisories/2009/3551

Change Log

No	Changed Details	Date of change
0	[2010年02月01日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-3731

Summary	Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.
Summary	Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WebWorks Help v2.0 a la v5.0 en VMware vCenter v4.0 anterior a Update 1 Build 208156; VMware Server v2.0.2; VMware ESX v4.0; VMware Lab Manager v2.x; VMware vCenter Lab Manager v3.x y v4.x anterior a v4.0.1; VMware Stage Manager v1.x anterior a v4.0.1; WebWorks Publisher v6.x a la v8.x; WebWorks Publisher 2003; y WebWorks ePublisher v9.0.x a la v9.3, 2008.1 a la 2008.4, y 2009.x anterior a 2009.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de (1) wwhelp_entry.html alcanzable a través d index.html y wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, o (5) el componente window.opener en wwhelp/wwhimpl/common/html/bookmark.htm, relacionado con (a) parámetros desconocidos y (b) mensajes usados en los enlaces de "topic" para la funcionalidad de marcadores.
Publication Date	Dec. 17, 2009, 3:30 a.m.
Registration Date	Jan. 29, 2021, 1:24 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:webworks:epublisher:9.0:::::::*
cpe:2.3:a:webworks:epublisher:9.1:::::::*
cpe:2.3:a:webworks:epublisher:9.2:::::::*
cpe:2.3:a:webworks:epublisher:9.3:::::::*
cpe:2.3:a:webworks:epublisher:2008.1:::::::*
cpe:2.3:a:webworks:epublisher:2008.2:::::::*
cpe:2.3:a:webworks:epublisher:2008.3:::::::*
cpe:2.3:a:webworks:epublisher:2008.4:::::::*
cpe:2.3:a:webworks:epublisher:2009.1:::::::*
cpe:2.3:a:webworks:epublisher:2009.2:::::::*
cpe:2.3:a:webworks:help:2.0:::::::*
cpe:2.3:a:webworks:help:3.0:::::::*
cpe:2.3:a:webworks:help:4.0:::::::*
cpe:2.3:a:webworks:help:5.0:::::::*
cpe:2.3:a:webworks:publisher:6.0:::::::*
cpe:2.3:a:webworks:publisher:7.0:::::::*
cpe:2.3:a:webworks:publisher:8.0:::::::*
cpe:2.3:a:webworks:publisher:2003:::::::*
cpe:2.3:a:vmware:vcenter:4.0:::::::*
cpe:2.3:a:vmware:esx_server:4.0:::::::*
cpe:2.3:a:vmware:lab_manager:2.0:::::::*
cpe:2.3:a:vmware:server:2.0.2:::::::*
cpe:2.3:a:vmware:stage_manager::::::::		4.0
cpe:2.3:a:vmware:stage_manager:1.0:::::::*
cpe:2.3:a:vmware:vcenter_lab_manager:3.0:::::::*
cpe:2.3:a:vmware:vcenter_lab_manager:3.0.1:::::::*
cpe:2.3:a:vmware:vcenter_lab_manager:3.0.2:::::::*
cpe:2.3:a:vmware:vcenter_lab_manager:4.0:::::::*
cpe:2.3:a:vmware:vcenter_stage_manager:1.0.1:::::::*

Configuration2		or higher	or less	more than	less than

Related information, measures and tools

No	URL	refsource
1	http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html	cve@mitre.org
2	http://lists.vmware.com/pipermail/security-announce/2009/000073.html	cve@mitre.org
3	http://secunia.com/advisories/38749	cve@mitre.org
4	http://secunia.com/advisories/38842	cve@mitre.org
5	http://securitytracker.com/id?1023683	cve@mitre.org
6	http://www.osvdb.org/62738	cve@mitre.org
7	http://www.osvdb.org/62739	cve@mitre.org
8	http://www.osvdb.org/62740	cve@mitre.org
9	http://www.osvdb.org/62741	cve@mitre.org
10	http://www.osvdb.org/62742	cve@mitre.org
11	http://www.securityfocus.com/archive/1/509883/100/0/threaded	cve@mitre.org
12	http://www.securityfocus.com/bid/37346	cve@mitre.org
13	http://www.webworks.com/Security/2009-0001/	cve@mitre.org
14	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944	cve@mitre.org
15	http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html	af854a3a-2127-422b-91ae-364da2661108
16	http://lists.vmware.com/pipermail/security-announce/2009/000073.html	af854a3a-2127-422b-91ae-364da2661108
17	http://secunia.com/advisories/38749	af854a3a-2127-422b-91ae-364da2661108
18	http://secunia.com/advisories/38842	af854a3a-2127-422b-91ae-364da2661108
19	http://securitytracker.com/id?1023683	af854a3a-2127-422b-91ae-364da2661108
20	http://www.osvdb.org/62738	af854a3a-2127-422b-91ae-364da2661108
21	http://www.osvdb.org/62739	af854a3a-2127-422b-91ae-364da2661108
22	http://www.osvdb.org/62740	af854a3a-2127-422b-91ae-364da2661108
23	http://www.osvdb.org/62741	af854a3a-2127-422b-91ae-364da2661108
24	http://www.osvdb.org/62742	af854a3a-2127-422b-91ae-364da2661108
25	http://www.securityfocus.com/archive/1/509883/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
26	http://www.securityfocus.com/bid/37346	af854a3a-2127-422b-91ae-364da2661108
27	http://www.webworks.com/Security/2009-0001/	af854a3a-2127-422b-91ae-364da2661108
28	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5944	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:webworks:epublisher:9.0:::::::*
cpe:2.3:a:webworks:epublisher:9.1:::::::*
cpe:2.3:a:webworks:epublisher:9.2:::::::*
cpe:2.3:a:webworks:epublisher:9.3:::::::*
cpe:2.3:a:webworks:epublisher:2008.1:::::::*
cpe:2.3:a:webworks:epublisher:2008.2:::::::*
cpe:2.3:a:webworks:epublisher:2008.3:::::::*
cpe:2.3:a:webworks:epublisher:2008.4:::::::*
cpe:2.3:a:webworks:epublisher:2009.1:::::::*
cpe:2.3:a:webworks:epublisher:2009.2:::::::*
cpe:2.3:a:webworks:help:2.0:::::::*
cpe:2.3:a:webworks:help:3.0:::::::*
cpe:2.3:a:webworks:help:4.0:::::::*
cpe:2.3:a:webworks:help:5.0:::::::*
cpe:2.3:a:webworks:publisher:6.0:::::::*
cpe:2.3:a:webworks:publisher:7.0:::::::*
cpe:2.3:a:webworks:publisher:8.0:::::::*
cpe:2.3:a:webworks:publisher:2003:::::::*
cpe:2.3:a:vmware:vcenter:4.0:::::::*
cpe:2.3:a:vmware:esx_server:4.0:::::::*
cpe:2.3:a:vmware:lab_manager:2.0:::::::*
cpe:2.3:a:vmware:server:2.0.2:::::::*
cpe:2.3:a:vmware:stage_manager::::::::		4.0
cpe:2.3:a:vmware:stage_manager:1.0:::::::*
cpe:2.3:a:vmware:vcenter_lab_manager:3.0:::::::*
cpe:2.3:a:vmware:vcenter_lab_manager:3.0.1:::::::*
cpe:2.3:a:vmware:vcenter_lab_manager:3.0.2:::::::*
cpe:2.3:a:vmware:vcenter_lab_manager:4.0:::::::*
cpe:2.3:a:vmware:vcenter_stage_manager:1.0.1:::::::*