CVE-2007-3386: XSS
First published: Tue Aug 14 2007(Updated: )
Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat | =5.5.18 | |
| Apache Tomcat | =6.0.6 | |
| Apache Tomcat | =6.0.11 | |
| Apache Tomcat | =5.5.12 | |
| Apache Tomcat | =5.5.14 | |
| Apache Tomcat | =5.5.10 | |
| Apache Tomcat | =5.5.4 | |
| Apache Tomcat | =5.5.7 | |
| Apache Tomcat | =5.5.1 | |
| Apache Tomcat | =6.0.7 | |
| Apache Tomcat | =5.5.11 | |
| Apache Tomcat | =6.0.4 | |
| Apache Tomcat | =5.5.6 | |
| Apache Tomcat | =5.5.20 | |
| Apache Tomcat | =5.5.15 | |
| Apache Tomcat | =5.5.5 | |
| Apache Tomcat | =5.5.21 | |
| Apache Tomcat | =5.5.22 | |
| Apache Tomcat | =6.0.10 | |
| Apache Tomcat | =6.0.3 | |
| Apache Tomcat | =6.0.9 | |
| Apache Tomcat | =5.5.3 | |
| Apache Tomcat | =5.5.9 | |
| Apache Tomcat | =6.0.0 | |
| Apache Tomcat | =5.5.2 | |
| Apache Tomcat | =5.5.0 | |
| Apache Tomcat | =5.5.13 | |
| Apache Tomcat | =6.0.1 | |
| Apache Tomcat | =6.0.12 | |
| Apache Tomcat | =5.5.24 | |
| Apache Tomcat | =5.5.8 | |
| Apache Tomcat | =5.5.16 | |
| Apache Tomcat | =6.0.5 | |
| Apache Tomcat | =5.5.17 | |
| Apache Tomcat | =5.5.19 | |
| Apache Tomcat | =6.0.2 | |
| Apache Tomcat | =6.0.13 | |
| Apache Tomcat | =5.5.23 | |
| Apache Tomcat | =6.0.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://tomcat.apache.org/security-6.html
- http://jvn.jp/jp/JVN%2359851336/index.html
- https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
- http://www.redhat.com/support/errata/RHSA-2007-0871.html
- http://www.securityfocus.com/bid/25314
- http://securitytracker.com/id?1018558
- http://secunia.com/advisories/26465
- http://secunia.com/advisories/26898
- http://secunia.com/advisories/27037
- http://secunia.com/advisories/27267
- http://secunia.com/advisories/27727
- http://securityreason.com/securityalert/3010
- http://www.debian.org/security/2008/dsa-1447
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
- http://secunia.com/advisories/28317
- http://osvdb.org/36417
- http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
- http://secunia.com/advisories/33668
- http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://www.vupen.com/english/advisories/2009/0233
- http://www.vupen.com/english/advisories/2007/2880
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
- http://www.vupen.com/english/advisories/2007/3386
- http://www.vupen.com/english/advisories/2007/3527
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36001
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10077
- http://www.securityfocus.com/archive/1/500412/100/0/threaded
- http://www.securityfocus.com/archive/1/500396/100/0/threaded
- http://www.securityfocus.com/archive/1/476448/100/0/threaded
- collector/nvd-historical
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/5.5.18
- version/apache tomcat/6.0.6
- version/apache tomcat/6.0.11
- version/apache tomcat/5.5.12
- version/apache tomcat/5.5.14
- version/apache tomcat/5.5.10
- version/apache tomcat/5.5.4
- version/apache tomcat/5.5.7
- version/apache tomcat/5.5.1
- version/apache tomcat/6.0.7
- version/apache tomcat/5.5.11
- version/apache tomcat/6.0.4
- version/apache tomcat/5.5.6
- version/apache tomcat/5.5.20
- version/apache tomcat/5.5.15
- version/apache tomcat/5.5.5
- version/apache tomcat/5.5.21
- version/apache tomcat/5.5.22
- version/apache tomcat/6.0.10
- version/apache tomcat/6.0.3
- version/apache tomcat/6.0.9
- version/apache tomcat/5.5.3
- version/apache tomcat/5.5.9
- version/apache tomcat/6.0.0
- version/apache tomcat/5.5.2
- version/apache tomcat/5.5.0
- version/apache tomcat/5.5.13
- version/apache tomcat/6.0.1
- version/apache tomcat/6.0.12
- version/apache tomcat/5.5.24
- version/apache tomcat/5.5.8
- version/apache tomcat/5.5.16
- version/apache tomcat/6.0.5
- version/apache tomcat/5.5.17
- version/apache tomcat/5.5.19
- version/apache tomcat/6.0.2
- version/apache tomcat/6.0.13
- version/apache tomcat/5.5.23
- version/apache tomcat/6.0.8