PT-2007-4661 · Apache+2 · Apache Tomcat+2

Published

2007-08-13

Updated

2018-10-16

CVE-2007-3386

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.0 through 5.5.24 Apache Tomcat versions 6.0.0 through 6.0.13

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary HTML and web script via crafted requests. This is possible because the Host Manager Servlet does not filter user-supplied data before display, enabling an XSS attack. For example, an attack can be demonstrated using the aliases parameter to an "html/add" action.

Recommendations For Apache Tomcat versions 5.5.0 through 5.5.24, update to a version that includes the fix for this issue. For Apache Tomcat versions 6.0.0 through 6.0.13, update to a version that includes the fix for this issue. As a temporary workaround, consider filtering user-supplied data in the Host Manager Servlet to prevent XSS attacks.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2007-3386

DSA-1447-1

HPSBUX02262

RHSA-2007:0871

RHSA-2007:0876

RHSA-2007_0871

Affected Products

Apache Tomcat

Hp-Ux

Red Hat

PT-2007-4661 · Apache+2 · Apache Tomcat+2

CVE-2007-3386

Weakness Enumeration

Related Identifiers

Affected Products

References · 62