source: https://www.securityfocus.com/bid/34562/info Apache Geronimo Application Server is prone to multiple remote vulnerabilities: - Multiple directory-traversal vulnerabilities - A cross-site scripting vulnerability - Multiple HTML-injection vulnerabilities - A cross-site request-forgery vulnerability Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, execute arbitrary script code, steal cookie-based authentication credentials, and perform certain administrative actions. Apache Geronimo 2.1 through 2.1.3 are vulnerable. http://www.example.com/console/portal/Server/Monitoring Vulnerable parameters: "name", "ip", "username", "description". Attacker can inject scripts into monitorings. Example [Monitoring - Create View]: name = description = </textarea> or http://www.example.com/console/portal//Server/Monitoring/__ac0x3monitoring0x2monitoring!126896788|0/__pm0x3monitoring0x2monitoring!126896788|0_edit?action=saveA ddView&name=">&description=</textarea>