4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.013 Low
EPSS
Percentile
85.8%
Low: Cross-site scripting CVE-2010-4172
The Manager application used the user provided parameters sort and orderBy directly without filtering thereby permitting cross-site scripting. The CSRF protection, which is enabled by default, prevents an attacker from exploiting this.
This was fixed in revision 1037778.
This was first reported to the Tomcat security team on 15 Nov 2010 and made public on 22 Nov 2010.
Affects: 7.0.0-7.0.4
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 7.0.0 | |
apache tomcat | le | 7.0.4 |