CVE-2007-2450: XSS
First published: Thu Jun 14 2007(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat | =4.1.2 | |
| Apache Tomcat | =4.0.4 | |
| Apache Tomcat | =4.1.36 | |
| Apache Tomcat | =4.1.9-beta | |
| Apache Tomcat | =5.5.18 | |
| Apache Tomcat | =5.0.8 | |
| Apache Tomcat | =5.0.19 | |
| Apache Tomcat | =6.0.6 | |
| Apache Tomcat | =6.0.11 | |
| Apache Tomcat | =5.5.12 | |
| Apache Tomcat | =5.0.14 | |
| Apache Tomcat | =5.5.14 | |
| Apache Tomcat | =4.1.24 | |
| Apache Tomcat | =5.5.10 | |
| Apache Tomcat | =5.0.22 | |
| Apache Tomcat | =5.5.4 | |
| Apache Tomcat | =5.5.7 | |
| Apache Tomcat | =5.5.1 | |
| Apache Tomcat | =5.0.7 | |
| Apache Tomcat | =6.0.7 | |
| Apache Tomcat | =5.5.11 | |
| Apache Tomcat | =6.0.4 | |
| Apache Tomcat | =5.5.6 | |
| Apache Tomcat | =5.0.9 | |
| Apache Tomcat | =5.0.15 | |
| Apache Tomcat | =5.0.30 | |
| Apache Tomcat | =5.5.20 | |
| Apache Tomcat | =5.5.15 | |
| Apache Tomcat | =5.0.23 | |
| Apache Tomcat | =5.0.2 | |
| Apache Tomcat | =5.5.5 | |
| Apache Tomcat | =5.0.10 | |
| Apache Tomcat | =5.0.21 | |
| Apache Tomcat | =5.0.26 | |
| Apache Tomcat | =5.5.21 | |
| Apache Tomcat | =5.5.22 | |
| Apache Tomcat | =6.0.10 | |
| Apache Tomcat | =6.0.3 | |
| Apache Tomcat | =5.0.0 | |
| Apache Tomcat | =5.0.6 | |
| Apache Tomcat | =6.0.9 | |
| Apache Tomcat | =4.1.31 | |
| Apache Tomcat | =5.5.3 | |
| Apache Tomcat | =5.0.27 | |
| Apache Tomcat | =5.0.16 | |
| Apache Tomcat | =4.0.6 | |
| Apache Tomcat | =5.5.9 | |
| Apache Tomcat | =4.0.3 | |
| Apache Tomcat | =5.0.18 | |
| Apache Tomcat | =6.0.0 | |
| Apache Tomcat | =4.0.1 | |
| Apache Tomcat | =5.5.2 | |
| Apache Tomcat | =5.0.5 | |
| Apache Tomcat | =5.0.28 | |
| Apache Tomcat | =5.0.29 | |
| Apache Tomcat | =5.5.0 | |
| Apache Tomcat | =4.1.1 | |
| Apache Tomcat | =5.5.13 | |
| Apache Tomcat | =6.0.1 | |
| Apache Tomcat | =6.0.12 | |
| Apache Tomcat | =5.5.24 | |
| Apache Tomcat | =4.1.28 | |
| Apache Tomcat | =5.0.13 | |
| Apache Tomcat | =4.1.15 | |
| Apache Tomcat | =4.1.3-beta | |
| Apache Tomcat | =4.1.10 | |
| Apache Tomcat | =5.5.8 | |
| Apache Tomcat | =5.0.17 | |
| Apache Tomcat | =5.5.16 | |
| Apache Tomcat | =4.1.0 | |
| Apache Tomcat | =6.0.5 | |
| Apache Tomcat | =4.0.2 | |
| Apache Tomcat | =5.5.17 | |
| Apache Tomcat | =4.1.3 | |
| Apache Tomcat | =5.5.19 | |
| Apache Tomcat | =4.0.5 | |
| Apache Tomcat | =4.0.0 | |
| Apache Tomcat | =5.0.4 | |
| Apache Tomcat | =6.0.2 | |
| Apache Tomcat | =5.0.25 | |
| Apache Tomcat | =6.0.13 | |
| Apache Tomcat | =5.0.1 | |
| Apache Tomcat | =5.0.11 | |
| Apache Tomcat | =5.5.23 | |
| Apache Tomcat | =5.0.3 | |
| Apache Tomcat | =5.0.24 | |
| Apache Tomcat | =6.0.8 | |
| Apache Tomcat | =5.0.12 | |
| maven/org.apache.tomcat:tomcat | >=6.0.0<=6.0.13 | 6.0.14 |
| maven/org.apache.tomcat:tomcat | >=5.5.0<=5.5.24 | 5.5.25 |
| maven/org.apache.tomcat:tomcat | >=5.0.0<=5.0.30 | |
| maven/org.apache.tomcat:tomcat | >=4.1.0<=4.1.36 | 4.1.37 |
| maven/org.apache.tomcat:tomcat | >=4.0.0<=4.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://tomcat.apache.org/security-6.html
- http://jvn.jp/jp/JVN%2307100457/index.html
- http://tomcat.apache.org/security-4.html
- http://tomcat.apache.org/security-5.html
- https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
- http://www.redhat.com/support/errata/RHSA-2007-0569.html
- http://www.securityfocus.com/bid/24475
- http://www.osvdb.org/36079
- http://www.securitytracker.com/id?1018245
- http://secunia.com/advisories/25678
- http://secunia.com/advisories/26076
- http://secunia.com/advisories/27037
- http://secunia.com/advisories/27727
- http://securityreason.com/securityalert/2813
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
- http://www.debian.org/security/2008/dsa-1468
- http://secunia.com/advisories/28549
- http://www.redhat.com/support/errata/RHSA-2008-0261.html
- http://support.apple.com/kb/HT2163
- http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
- http://secunia.com/advisories/30802
- http://secunia.com/advisories/30908
- http://secunia.com/advisories/30899
- http://secunia.com/advisories/33668
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
- http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://www.vupen.com/english/advisories/2009/0233
- http://www.vupen.com/english/advisories/2007/2213
- http://www.vupen.com/english/advisories/2007/3386
- http://www.vupen.com/english/advisories/2008/1979/references
- http://www.vupen.com/english/advisories/2008/1981/references
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34868
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11287
- http://www.securityfocus.com/archive/1/500412/100/0/threaded
- http://www.securityfocus.com/archive/1/500396/100/0/threaded
- http://www.securityfocus.com/archive/1/471357/100/0/threaded
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2007-2450
- https://github.com/apache/tomcat/commit/1bc3bcb2848f478fd6674487d6dad507fd5dd686
- https://web.archive.org/web/20071203205513/http://secunia.com/advisories/25678
- https://web.archive.org/web/20080212014926/http://secunia.com/advisories/26076
- https://web.archive.org/web/20080320042501/http://secunia.com/advisories/27727
- https://web.archive.org/web/20080324012730/http://secunia.com/advisories/28549
- https://web.archive.org/web/20080413164556/http://securitytracker.com/alerts/2007/Jun/1018245.html
- https://web.archive.org/web/20080724125033/http://secunia.com/advisories/27037
- https://web.archive.org/web/20080801204240/http://secunia.com/advisories/30899
- https://web.archive.org/web/20080801210056/http://secunia.com/advisories/30802
- https://web.archive.org/web/20090623202429/http://secunia.com/advisories/33668
- https://web.archive.org/web/20120809122231/http://secunia.com/advisories/30908
- https://web.archive.org/web/20200229180652/http://www.securityfocus.com/bid/24475
- https://web.archive.org/web/20200517122628/http://www.securityfocus.com/archive/1/500396/100/0/threaded
- https://web.archive.org/web/20200517153851/http://www.securityfocus.com/archive/1/500412/100/0/threaded
- https://web.archive.org/web/20200809062244/http://www.securityfocus.com/archive/1/471357/100/0/threaded
- https://web.archive.org/web/20201207215920/https://cxsecurity.com/issue/WLB-2007060074
- https://github.com/advisories/GHSA-5c5p-jxvx-x7j2 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2007-2450?
CVE-2007-2450 is classified as a medium severity vulnerability due to its potential for cross-site scripting attacks.
How do I fix CVE-2007-2450?
To address CVE-2007-2450, upgrade to Apache Tomcat version 6.0.14, 5.5.25, or 4.1.37 which contain security fixes.
What applications are affected by CVE-2007-2450?
CVE-2007-2450 affects Apache Tomcat versions 4.0.0 to 6.0.13, including various versions within that range.
Can I mitigate CVE-2007-2450 without upgrading?
Mitigation options for CVE-2007-2450 are limited; the best practice is to apply the recommended upgrades.
What type of vulnerability is CVE-2007-2450?
CVE-2007-2450 is a cross-site scripting (XSS) vulnerability that allows authenticated users to inject arbitrary web scripts.
- collector/nvd-historical
- collector/nvd-index
- collector/nvd-api
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5c5p-jxvx-x7j2
- alias/CVE-2007-2450
- agent/software-canonical-lookup
- agent/references
- agent/remedy
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/4.1.2
- version/apache tomcat/4.0.4
- version/apache tomcat/4.1.36
- version/apache tomcat/4.1.9-beta
- version/apache tomcat/5.5.18
- version/apache tomcat/5.0.8
- version/apache tomcat/5.0.19
- version/apache tomcat/6.0.6
- version/apache tomcat/6.0.11
- version/apache tomcat/5.5.12
- version/apache tomcat/5.0.14
- version/apache tomcat/5.5.14
- version/apache tomcat/4.1.24
- version/apache tomcat/5.5.10
- version/apache tomcat/5.0.22
- version/apache tomcat/5.5.4
- version/apache tomcat/5.5.7
- version/apache tomcat/5.5.1
- version/apache tomcat/5.0.7
- version/apache tomcat/6.0.7
- version/apache tomcat/5.5.11
- version/apache tomcat/6.0.4
- version/apache tomcat/5.5.6
- version/apache tomcat/5.0.9
- version/apache tomcat/5.0.15
- version/apache tomcat/5.0.30
- version/apache tomcat/5.5.20
- version/apache tomcat/5.5.15
- version/apache tomcat/5.0.23
- version/apache tomcat/5.0.2
- version/apache tomcat/5.5.5
- version/apache tomcat/5.0.10
- version/apache tomcat/5.0.21
- version/apache tomcat/5.0.26
- version/apache tomcat/5.5.21
- version/apache tomcat/5.5.22
- version/apache tomcat/6.0.10
- version/apache tomcat/6.0.3
- version/apache tomcat/5.0.0
- version/apache tomcat/5.0.6
- version/apache tomcat/6.0.9
- version/apache tomcat/4.1.31
- version/apache tomcat/5.5.3
- version/apache tomcat/5.0.27
- version/apache tomcat/5.0.16
- version/apache tomcat/4.0.6
- version/apache tomcat/5.5.9
- version/apache tomcat/4.0.3
- version/apache tomcat/5.0.18
- version/apache tomcat/6.0.0
- version/apache tomcat/4.0.1
- version/apache tomcat/5.5.2
- version/apache tomcat/5.0.5
- version/apache tomcat/5.0.28
- version/apache tomcat/5.0.29
- version/apache tomcat/5.5.0
- version/apache tomcat/4.1.1
- version/apache tomcat/5.5.13
- version/apache tomcat/6.0.1
- version/apache tomcat/6.0.12
- version/apache tomcat/5.5.24
- version/apache tomcat/4.1.28
- version/apache tomcat/5.0.13
- version/apache tomcat/4.1.15
- version/apache tomcat/4.1.3-beta
- version/apache tomcat/4.1.10
- version/apache tomcat/5.5.8
- version/apache tomcat/5.0.17
- version/apache tomcat/5.5.16
- version/apache tomcat/4.1.0
- version/apache tomcat/6.0.5
- version/apache tomcat/4.0.2
- version/apache tomcat/5.5.17
- version/apache tomcat/4.1.3
- version/apache tomcat/5.5.19
- version/apache tomcat/4.0.5
- version/apache tomcat/4.0.0
- version/apache tomcat/5.0.4
- version/apache tomcat/6.0.2
- version/apache tomcat/5.0.25
- version/apache tomcat/6.0.13
- version/apache tomcat/5.0.1
- version/apache tomcat/5.0.11
- version/apache tomcat/5.5.23
- version/apache tomcat/5.0.3
- version/apache tomcat/5.0.24
- version/apache tomcat/6.0.8
- version/apache tomcat/5.0.12
- package-manager/maven