It was found that the JBossWeb Bayeux component would include the contents of the jsonp request parameter in the response, without escaping. A remote attacker could use this flaw to perform reflected cross-site scripting (XSS) attacks under certain conditions. The content type of the response is text/json, which can still be interpreted as HTML by the browser if it uses content sniffing. If the browser evaluates the response, this flaw could be exploited by a DOM-based XSS attack.
Upstream Fix: http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossweb?view=revision&revision=2176 Upstream Bug: https://issues.jboss.org/browse/JBWEB-267
Statement: Red Hat JBoss Enterprise Application Platform 6 prior to 6.1.1 and Red Hat JBoss Portal Platform 6 prior to 6.1.0 are affected by this flaw. All users of vulnerable versions are advised to update to 6.1.1 or later of Red Hat JBoss Enterprise Application Platform 6 and 6.1.0 or later of Red Hat JBoss Portal Platform 6
Acknowledgements: This issue was discovered by David Jorm of Red Hat Product Security.