CVE-2008-1947

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.9 through 5.5.26 Apache Tomcat versions 6.0.0 through 6.0.16

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the name parameter (also known as the hostname attribute) to the host-manager/html/add endpoint. This occurs because the Host Manager web application did not properly escape user-provided data before including it in the output, enabling a XSS attack. The application now filters the data before use.

Recommendations For Apache Tomcat versions 5.5.9 through 5.5.26, consider updating to a version outside of this range to mitigate the risk. For Apache Tomcat versions 6.0.0 through 6.0.16, consider updating to a version outside of this range to mitigate the risk. As a temporary workaround, logging out (closing the browser) of the Host Manager web application once management tasks have been completed may help mitigate the issue.