Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ‘;’ character, as demonstrated by a URI containing a “snp/snoop.jsp;” sequence.
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html
lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
osvdb.org/36080
rhn.redhat.com/errata/RHSA-2008-0630.html
secunia.com/advisories/26076
secunia.com/advisories/27037
secunia.com/advisories/27727
secunia.com/advisories/29392
secunia.com/advisories/30802
secunia.com/advisories/31493
secunia.com/advisories/33668
securityreason.com/securityalert/2804
support.apple.com/kb/HT2163
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
tomcat.apache.org/security-4.html
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
www.mandriva.com/security/advisories?name=MDKSA-2007:241
www.redhat.com/support/errata/RHSA-2007-0569.html
www.redhat.com/support/errata/RHSA-2008-0261.html
www.securityfocus.com/archive/1/471351/100/0/threaded
www.securityfocus.com/archive/1/500396/100/0/threaded
www.securityfocus.com/archive/1/500412/100/0/threaded
www.securityfocus.com/bid/24476
www.securitytracker.com/id?1018245
www.vupen.com/english/advisories/2007/2213
www.vupen.com/english/advisories/2007/3386
www.vupen.com/english/advisories/2008/1981/references
www.vupen.com/english/advisories/2009/0233
exchange.xforce.ibmcloud.com/vulnerabilities/34869
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10578
www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html