CVE-2007-2450

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.0.0 through 4.0.6 Apache Tomcat versions 4.1.0 through 4.1.36 Apache Tomcat versions 5.0.0 through 5.0.30 Apache Tomcat versions 5.5.0 through 5.5.24 Apache Tomcat versions 6.0.0 through 6.0.13

Description The issue affects the Manager and Host Manager web applications in Apache Tomcat, allowing remote authenticated users to inject arbitrary web script or HTML via a parameter name to "manager/html/upload", and other unspecified vectors. This is a result of multiple cross-site scripting (XSS) vulnerabilities.

Recommendations For Apache Tomcat versions 4.0.0 through 4.0.6, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 4.1.0 through 4.1.36, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 5.0.0 through 5.0.30, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 5.5.0 through 5.5.24, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 6.0.0 through 6.0.13, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the "manager/html/upload" endpoint until a patch is available.