CVE-2010-4172

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.0.12 through 6.0.29 Apache Tomcat versions 7.0.0 through 7.0.4

Description The issue allows remote attackers to inject arbitrary web script or HTML via the orderBy or sort parameters to "sessionsList.jsp", or unspecified input to "sessionDetail.jsp" or "java/org/apache/catalina/manager/JspHelper.java". This is related to the use of untrusted web applications. The Manager application used user-provided parameters sort and orderBy directly without filtering, thereby permitting cross-site scripting.

Recommendations For Apache Tomcat versions 6.0.12 through 6.0.29, consider disabling the Manager application until a patch is available. For Apache Tomcat versions 7.0.0 through 7.0.4, avoid using the sort and orderBy parameters in the affected "sessionsList.jsp" endpoint until the issue is resolved. Restrict access to the "sessionDetail.jsp" and "java/org/apache/catalina/manager/JspHelper.java" components to minimize the risk of exploitation.