CVE-2006-7196

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 4.0.0 through 4.0.6 Apache Tomcat versions 4.1.0 through 4.1.31 Apache Tomcat versions 5.0.0 through 5.0.30 Apache Tomcat versions 5.5.0 through 5.5.15

Description: The issue is related to a cross-site scripting (XSS) vulnerability in the calendar application example. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the time parameter to "cal2.jsp" and possibly other vectors. The calendar application is susceptible to this attack because it does not escape user-provided data before including it in the returned page.

Recommendations: For Apache Tomcat versions 4.0.0 through 4.0.6, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 4.1.0 through 4.1.31, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 5.0.0 through 5.0.30, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 5.5.0 through 5.5.15, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the calendar application example until a patch is available. Avoid using the time parameter in the "cal2.jsp" endpoint until the issue is resolved.