Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer. Version 1.1 contains fixes for these issues.
issues.apache.org/jira/browse/GERONIMO-1474
rhn.redhat.com/errata/RHSA-2008-0630.html
secunia.com/advisories/18485
secunia.com/advisories/31493
svn.apache.org/viewvc/geronimo
svn.apache.org/viewvc?view=revision&revision=372322
www.oliverkarow.de/research/geronimo_css.txt
www.redhat.com/support/errata/RHSA-2008-0261.html
www.securityfocus.com/archive/1/421996/100/0/threaded
www.securityfocus.com/bid/16260
www.vupen.com/english/advisories/2006/0217
exchange.xforce.ibmcloud.com/vulnerabilities/24158
exchange.xforce.ibmcloud.com/vulnerabilities/24159
geronimo.apache.org/GMOxDOC11/release-notes-11txt.html
issues.apache.org/jira/secure/attachment/12322088/GERONIMO-1474.patch
issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&styleName=Html&projectId=10220&Create=Create
nvd.nist.gov/vuln/detail/CVE-2006-0254