CVE-2009-0781

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.1.0 through 4.1.39 Apache Tomcat versions 5.5.0 through 5.5.27 Apache Tomcat versions 6.0.0 through 6.0.18

Description The issue is related to a cross-site scripting (XSS) flaw in the calendar application, specifically in the jsp/cal/cal2.jsp file. This flaw is caused by invalid HTML, which makes the XSS filtering protection ineffective. Remote attackers can inject arbitrary web script or HTML via the time parameter.

Recommendations For Apache Tomcat versions 4.1.0 through 4.1.39, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 5.5.0 through 5.5.27, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 6.0.0 through 6.0.18, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the calendar application in the examples web application until a patch is available. Avoid using the time parameter in the affected jsp/cal/cal2.jsp file until the issue is resolved.