The IT group at our agency in its latest scan just flagged the above vulnerability on one of my computers - a Mac OS X box that happens to run Servoy Server (v. 4.1.1 - build 658). According to the National Vulnerability Database, this is a “Cross-site scripting (XSS) vulnerability in ThemeServlet.java in Sun Woodstock 4.2, as used in Sun GlassFish Enterprise Server and other products, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 string in the PATH_INFO, which is displayed on the 404 error page, as demonstrated by the PATH_INFO to theme/META-INF.” I was instructed that to resolve this issue I am to download the latest Woodstock sources from CVS.
I’m at a complete loss here - there is no ThemeServlet.java file on my system. The only (known) Java-based web application running on the affected computer is Servoy Server, so I wonder if this is the culprit. Does Servoy Server use Woodstock components? If so, how do I go about patching this vulnerability? Would updating to the latest build resolve this problem?
If this issue cannot be caused by my installation of Servoy I would appreciate knowing this also so that I can eliminate Servoy as a possible source.
Thanks!