CVE-2007-3386: XSS
First published: Tue Aug 14 2007(Updated: )
Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tomcat | =5.5.0 | |
| Tomcat | =5.5.1 | |
| Tomcat | =5.5.2 | |
| Tomcat | =5.5.3 | |
| Tomcat | =5.5.4 | |
| Tomcat | =5.5.5 | |
| Tomcat | =5.5.6 | |
| Tomcat | =5.5.7 | |
| Tomcat | =5.5.8 | |
| Tomcat | =5.5.9 | |
| Tomcat | =5.5.10 | |
| Tomcat | =5.5.11 | |
| Tomcat | =5.5.12 | |
| Tomcat | =5.5.13 | |
| Tomcat | =5.5.14 | |
| Tomcat | =5.5.15 | |
| Tomcat | =5.5.16 | |
| Tomcat | =5.5.17 | |
| Tomcat | =5.5.18 | |
| Tomcat | =5.5.19 | |
| Tomcat | =5.5.20 | |
| Tomcat | =5.5.21 | |
| Tomcat | =5.5.22 | |
| Tomcat | =5.5.23 | |
| Tomcat | =5.5.24 | |
| Tomcat | =6.0.0 | |
| Tomcat | =6.0.1 | |
| Tomcat | =6.0.2 | |
| Tomcat | =6.0.3 | |
| Tomcat | =6.0.4 | |
| Tomcat | =6.0.5 | |
| Tomcat | =6.0.6 | |
| Tomcat | =6.0.7 | |
| Tomcat | =6.0.8 | |
| Tomcat | =6.0.9 | |
| Tomcat | =6.0.10 | |
| Tomcat | =6.0.11 | |
| Tomcat | =6.0.12 | |
| Tomcat | =6.0.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://tomcat.apache.org/security-6.html
- http://jvn.jp/jp/JVN%2359851336/index.html
- https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
- http://www.redhat.com/support/errata/RHSA-2007-0871.html
- http://www.securityfocus.com/bid/25314
- http://securitytracker.com/id?1018558
- http://secunia.com/advisories/26465
- http://secunia.com/advisories/26898
- http://secunia.com/advisories/27037
- http://secunia.com/advisories/27267
- http://secunia.com/advisories/27727
- http://securityreason.com/securityalert/3010
- http://www.debian.org/security/2008/dsa-1447
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
- http://secunia.com/advisories/28317
- http://osvdb.org/36417
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
- http://secunia.com/advisories/33668
- http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://www.vupen.com/english/advisories/2009/0233
- http://www.vupen.com/english/advisories/2007/2880
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
- http://www.vupen.com/english/advisories/2007/3386
- http://www.vupen.com/english/advisories/2007/3527
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36001
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10077
- http://www.securityfocus.com/archive/1/500412/100/0/threaded
- http://www.securityfocus.com/archive/1/500396/100/0/threaded
- http://www.securityfocus.com/archive/1/476448/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-3386?
CVE-2007-3386 is considered a moderate severity vulnerability that allows cross-site scripting (XSS) attacks.
How do I fix CVE-2007-3386?
To fix CVE-2007-3386, upgrade Apache Tomcat to version 6.0.14 or later and 5.5.25 or later.
What versions of Apache Tomcat are affected by CVE-2007-3386?
CVE-2007-3386 affects Apache Tomcat versions 5.5.0 to 5.5.24 and 6.0.0 to 6.0.13.
What types of attacks can be performed using the CVE-2007-3386 vulnerability?
The CVE-2007-3386 vulnerability can be exploited to inject and execute arbitrary HTML and web scripts in a user's browser.
Is CVE-2007-3386 widely exploitable?
Yes, CVE-2007-3386 can be exploited by attackers who can craft specific HTTP requests to the Host Manager Servlet.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/author
- agent/references
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/weakness
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/apache
- canonical/tomcat
- version/tomcat/5.5.0
- version/tomcat/5.5.1
- version/tomcat/5.5.2
- version/tomcat/5.5.3
- version/tomcat/5.5.4
- version/tomcat/5.5.5
- version/tomcat/5.5.6
- version/tomcat/5.5.7
- version/tomcat/5.5.8
- version/tomcat/5.5.9
- version/tomcat/5.5.10
- version/tomcat/5.5.11
- version/tomcat/5.5.12
- version/tomcat/5.5.13
- version/tomcat/5.5.14
- version/tomcat/5.5.15
- version/tomcat/5.5.16
- version/tomcat/5.5.17
- version/tomcat/5.5.18
- version/tomcat/5.5.19
- version/tomcat/5.5.20
- version/tomcat/5.5.21
- version/tomcat/5.5.22
- version/tomcat/5.5.23
- version/tomcat/5.5.24
- version/tomcat/6.0.0
- version/tomcat/6.0.1
- version/tomcat/6.0.2
- version/tomcat/6.0.3
- version/tomcat/6.0.4
- version/tomcat/6.0.5
- version/tomcat/6.0.6
- version/tomcat/6.0.7
- version/tomcat/6.0.8
- version/tomcat/6.0.9
- version/tomcat/6.0.10
- version/tomcat/6.0.11
- version/tomcat/6.0.12
- version/tomcat/6.0.13