First published: Tue Nov 23 2010(Updated: )
A cross-site-scripting flaw was discovered in the manager application. It reflected the user provided parameters sort and orderBy directly without filtering applied. The issue affects Tomcat 6 (impact=moderate): From 6.0.12 to 6.0.29 and was fixed in r1037779: <a href="http://svn.apache.org/viewvc?rev=1037779&view=rev">http://svn.apache.org/viewvc?rev=1037779&view=rev</a> Upstream 6.0.30 will correct this flaw as noted: <a href="http://tomcat.apache.org/security-6.html">http://tomcat.apache.org/security-6.html</a> The issue affects Tomcat 7 (impact=low, as caught by CSRF protection) : From 7.0.0 to 7.0.4 and was fixed in r1037778: <a href="http://svn.apache.org/viewvc?rev=1037778&view=rev">http://svn.apache.org/viewvc?rev=1037778&view=rev</a> Upstream 7.0.5 will correct this flaw as noted: <a href="http://tomcat.apache.org/security-7.html">http://tomcat.apache.org/security-7.html</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Tomcat | =7.0.1 | |
Apache Tomcat | =7.0.2 | |
Apache Tomcat | =6.0.15 | |
Apache Tomcat | =7.0.0 | |
Apache Tomcat | =6.0.20 | |
Apache Tomcat | =6.0.29 | |
Apache Tomcat | =7.0.0-beta | |
Apache Tomcat | =6.0.24 | |
Apache Tomcat | =6.0.17 | |
Apache Tomcat | =6.0.28 | |
Apache Tomcat | =6.0.14 | |
Apache Tomcat | =6.0.12 | |
Apache Tomcat | =6.0.18 | |
Apache Tomcat | =6.0.13 | |
Apache Tomcat | =7.0.4 | |
Apache Tomcat | =7.0.3 | |
Apache Tomcat | =6.0.26 | |
Apache Tomcat | =6.0.19 | |
Apache Tomcat | =6.0.27 | |
Apache Tomcat | =6.0.16 | |
debian/tomcat6 | ||
maven/org.apache.tomcat:tomcat | >=6.0.12<=6.0.29 | |
maven/org.apache.tomcat:tomcat | >=7.0.0<7.0.5 | 7.0.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.