CVE-2009-0781: XSS
First published: Fri Mar 06 2009(Updated: )
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tomcat5 | <0:5.5.23-0jpp.7.el5_3.2 | 0:5.5.23-0jpp.7.el5_3.2 |
| Tomcat | =4.1.0 | |
| Tomcat | =4.1.1 | |
| Tomcat | =4.1.2 | |
| Tomcat | =4.1.3 | |
| Tomcat | =4.1.3-beta | |
| Tomcat | =4.1.4 | |
| Tomcat | =4.1.5 | |
| Tomcat | =4.1.6 | |
| Tomcat | =4.1.7 | |
| Tomcat | =4.1.8 | |
| Tomcat | =4.1.9 | |
| Tomcat | =4.1.9-beta | |
| Tomcat | =4.1.10 | |
| Tomcat | =4.1.11 | |
| Tomcat | =4.1.12 | |
| Tomcat | =4.1.13 | |
| Tomcat | =4.1.14 | |
| Tomcat | =4.1.15 | |
| Tomcat | =4.1.16 | |
| Tomcat | =4.1.17 | |
| Tomcat | =4.1.18 | |
| Tomcat | =4.1.19 | |
| Tomcat | =4.1.20 | |
| Tomcat | =4.1.21 | |
| Tomcat | =4.1.22 | |
| Tomcat | =4.1.23 | |
| Tomcat | =4.1.24 | |
| Tomcat | =4.1.25 | |
| Tomcat | =4.1.26 | |
| Tomcat | =4.1.27 | |
| Tomcat | =4.1.28 | |
| Tomcat | =4.1.29 | |
| Tomcat | =4.1.30 | |
| Tomcat | =4.1.31 | |
| Tomcat | =4.1.32 | |
| Tomcat | =4.1.33 | |
| Tomcat | =4.1.34 | |
| Tomcat | =4.1.35 | |
| Tomcat | =4.1.36 | |
| Tomcat | =4.1.37 | |
| Tomcat | =5.5.0 | |
| Tomcat | =5.5.1 | |
| Tomcat | =5.5.2 | |
| Tomcat | =5.5.3 | |
| Tomcat | =5.5.4 | |
| Tomcat | =5.5.5 | |
| Tomcat | =5.5.6 | |
| Tomcat | =5.5.7 | |
| Tomcat | =5.5.8 | |
| Tomcat | =5.5.9 | |
| Tomcat | =5.5.10 | |
| Tomcat | =5.5.11 | |
| Tomcat | =5.5.12 | |
| Tomcat | =5.5.13 | |
| Tomcat | =5.5.14 | |
| Tomcat | =5.5.15 | |
| Tomcat | =5.5.16 | |
| Tomcat | =5.5.17 | |
| Tomcat | =5.5.18 | |
| Tomcat | =5.5.19 | |
| Tomcat | =5.5.20 | |
| Tomcat | =5.5.21 | |
| Tomcat | =5.5.22 | |
| Tomcat | =5.5.23 | |
| Tomcat | =5.5.24 | |
| Tomcat | =5.5.25 | |
| Tomcat | =5.5.26 | |
| Tomcat | =6.0 | |
| Tomcat | =6.0.0 | |
| Tomcat | =6.0.1 | |
| Tomcat | =6.0.2 | |
| Tomcat | =6.0.3 | |
| Tomcat | =6.0.4 | |
| Tomcat | =6.0.5 | |
| Tomcat | =6.0.6 | |
| Tomcat | =6.0.7 | |
| Tomcat | =6.0.8 | |
| Tomcat | =6.0.9 | |
| Tomcat | =6.0.10 | |
| Tomcat | =6.0.11 | |
| Tomcat | =6.0.12 | |
| Tomcat | =6.0.13 | |
| Tomcat | =6.0.14 | |
| Tomcat | =6.0.15 | |
| Tomcat | =6.0.16 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-4.html
- http://tomcat.apache.org/security-5.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:138
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
- http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
- http://secunia.com/advisories/35685
- http://secunia.com/advisories/35788
- http://www.vupen.com/english/advisories/2009/1856
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
- http://secunia.com/advisories/37460
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html
- http://www.vmware.com/security/advisories/VMSA-2009-0016.html
- http://www.vupen.com/english/advisories/2009/3316
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html
- http://support.apple.com/kb/HT4077
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://marc.info/?l=bugtraq&m=129070310906557&w=2
- http://www.vupen.com/english/advisories/2010/3056
- http://secunia.com/advisories/42368
- http://www.debian.org/security/2011/dsa-2207
- http://marc.info/?l=bugtraq&m=136485229118404&w=2
- http://marc.info/?l=bugtraq&m=133469267822771&w=2
- http://marc.info/?l=bugtraq&m=127420533226623&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/49213
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6564
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19345
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11041
- http://www.securityfocus.com/archive/1/507985/100/0/threaded
- http://www.securityfocus.com/archive/1/501538/100/0/threaded
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
- http://svn.apache.org/viewvc?rev=750924&view=rev
- http://svn.apache.org/viewvc?rev=750928&view=rev
- http://svn.apache.org/viewvc?rev=750927&view=rev
- http://localhost:8080/examples/jsp/cal/cal2.jsp?time=8am%20STYLE=xss:e/**/xpression(try{a=firstTime}catch(e){firstTime=1;alert('XSS
- http://tomcat.apache.org/security.html
- https://rhn.redhat.com/errata/RHSA-2009-1164.html
- https://access.redhat.com/security/cve/CVE-2009-0781
- https://rhn.redhat.com/errata/RHSA-2009-1562.html
- https://bugzilla.redhat.com/show_bug.cgi?id=489028
- https://www.cve.org/CVERecord?id=CVE-2009-0781 https://nvd.nist.gov/vuln/detail/CVE-2009-0781
- https://access.redhat.com/errata/RHSA-2009:1164
- https://access.redhat.com/errata/RHSA-2009:1562
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0781.json
Frequently Asked Questions
What is the severity of CVE-2009-0781?
CVE-2009-0781 has a medium severity rating, as it allows remote attackers to exploit cross-site scripting vulnerabilities.
How do I fix CVE-2009-0781?
To fix CVE-2009-0781, update your Apache Tomcat installation to version 5.5.28 or later, as these versions have patched the vulnerability.
Which versions of Apache Tomcat are affected by CVE-2009-0781?
CVE-2009-0781 affects Apache Tomcat versions 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18.
What type of vulnerability is CVE-2009-0781?
CVE-2009-0781 is classified as a cross-site scripting (XSS) vulnerability.
Can CVE-2009-0781 be exploited without user interaction?
Yes, CVE-2009-0781 can be exploited by remote attackers without requiring user interaction.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-0781
- collector/redhat-cve
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/author
- agent/severity
- agent/references
- agent/trending
- agent/source
- agent/weakness
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- package-manager/redhat
- vendor/apache
- canonical/tomcat
- version/tomcat/4.1.0
- version/tomcat/4.1.1
- version/tomcat/4.1.2
- version/tomcat/4.1.3
- version/tomcat/4.1.3-beta
- version/tomcat/4.1.4
- version/tomcat/4.1.5
- version/tomcat/4.1.6
- version/tomcat/4.1.7
- version/tomcat/4.1.8
- version/tomcat/4.1.9
- version/tomcat/4.1.9-beta
- version/tomcat/4.1.10
- version/tomcat/4.1.11
- version/tomcat/4.1.12
- version/tomcat/4.1.13
- version/tomcat/4.1.14
- version/tomcat/4.1.15
- version/tomcat/4.1.16
- version/tomcat/4.1.17
- version/tomcat/4.1.18
- version/tomcat/4.1.19
- version/tomcat/4.1.20
- version/tomcat/4.1.21
- version/tomcat/4.1.22
- version/tomcat/4.1.23
- version/tomcat/4.1.24
- version/tomcat/4.1.25
- version/tomcat/4.1.26
- version/tomcat/4.1.27
- version/tomcat/4.1.28
- version/tomcat/4.1.29
- version/tomcat/4.1.30
- version/tomcat/4.1.31
- version/tomcat/4.1.32
- version/tomcat/4.1.33
- version/tomcat/4.1.34
- version/tomcat/4.1.35
- version/tomcat/4.1.36
- version/tomcat/4.1.37
- version/tomcat/5.5.0
- version/tomcat/5.5.1
- version/tomcat/5.5.2
- version/tomcat/5.5.3
- version/tomcat/5.5.4
- version/tomcat/5.5.5
- version/tomcat/5.5.6
- version/tomcat/5.5.7
- version/tomcat/5.5.8
- version/tomcat/5.5.9
- version/tomcat/5.5.10
- version/tomcat/5.5.11
- version/tomcat/5.5.12
- version/tomcat/5.5.13
- version/tomcat/5.5.14
- version/tomcat/5.5.15
- version/tomcat/5.5.16
- version/tomcat/5.5.17
- version/tomcat/5.5.18
- version/tomcat/5.5.19
- version/tomcat/5.5.20
- version/tomcat/5.5.21
- version/tomcat/5.5.22
- version/tomcat/5.5.23
- version/tomcat/5.5.24
- version/tomcat/5.5.25
- version/tomcat/5.5.26
- version/tomcat/6.0
- version/tomcat/6.0.0
- version/tomcat/6.0.1
- version/tomcat/6.0.2
- version/tomcat/6.0.3
- version/tomcat/6.0.4
- version/tomcat/6.0.5
- version/tomcat/6.0.6
- version/tomcat/6.0.7
- version/tomcat/6.0.8
- version/tomcat/6.0.9
- version/tomcat/6.0.10
- version/tomcat/6.0.11
- version/tomcat/6.0.12
- version/tomcat/6.0.13
- version/tomcat/6.0.14
- version/tomcat/6.0.15
- version/tomcat/6.0.16