CVE-2007-3386

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.0 through 5.5.24 Apache Tomcat versions 6.0.0 through 6.0.13

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary HTML and web script via crafted requests. This is possible because the Host Manager Servlet does not filter user-supplied data before display, enabling an XSS attack. For example, an attack can be demonstrated using the aliases parameter to an "html/add" action.

Recommendations For Apache Tomcat versions 5.5.0 through 5.5.24, update to a version that includes the fix for this issue. For Apache Tomcat versions 6.0.0 through 6.0.13, update to a version that includes the fix for this issue. As a temporary workaround, consider filtering user-supplied data in the Host Manager Servlet to prevent XSS attacks.