GitHub Advisory DatabaseGHSA-C78G-QWPW-2JGVImproper Neutralization of Input During Web Page Generation in Apache Tomcat
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.013 Low
EPSS
Percentile
85.8%
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.tomcat:tomcat | le | 6.0.29 | |
| org.apache.tomcat:tomcat | lt | 7.0.5 |
References
bugzilla.redhat.com/show_bug.cgi?id=656246
github.com/advisories/GHSA-c78g-qwpw-2jgv
github.com/apache/tomcat/commit/5971f9392edc6d70808b2599b062b050fcd11d23
lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
marc.info/?l=bugtraq&m=139344343412337&w=2
nvd.nist.gov/vuln/detail/CVE-2010-4172
tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.5
www.redhat.com/support/errata/RHSA-2011-0896.html
www.redhat.com/support/errata/RHSA-2011-0897.html
www.securityfocus.com/archive/1/514866/100/0/threaded
www.ubuntu.com/usn/USN-1048-1
www.vupen.com/english/advisories/2010/3047
www.vupen.com/english/advisories/2011/0203
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.013 Low
EPSS
Percentile
85.8%