CVE-2011-0013: XSS
First published: Mon Feb 07 2011(Updated: )
Apache Tomcat 5.5.32 and 6.0.30 were released [1],[2] to fix, among other things, an XSS vulnerability in the HTML Manager [3]. The HTML Manager displayed unfiltered web application-provided data that could be used to trigger script execution by an administrative user when viewing the Manager pages, such as: <display-name>&lt;script&gt;alert('hi');&lt;/script&gt;</display-name> For Tomcat 5.5.x, this was fixed in upstream revision 1057518 [4] and for Tomcat 6.x it was fixed in upstream revision 1057270 [5]. [1] <a href="http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32">http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32</a> [2] <a href="http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30">http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30</a> [3] <a href="http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0077.html">http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0077.html</a> [4] <a href="http://svn.apache.org/viewvc?rev=1057518&view=rev">http://svn.apache.org/viewvc?rev=1057518&view=rev</a> [5] <a href="http://svn.apache.org/viewvc?rev=1057270&view=rev">http://svn.apache.org/viewvc?rev=1057270&view=rev</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.tomcat:tomcat | >=7.0.0<7.0.6 | 7.0.6 |
| maven/org.apache.tomcat:tomcat | >=6.0.0<6.0.30 | 6.0.30 |
| maven/org.apache.tomcat:tomcat | >=5.5.0<5.5.32 | 5.5.32 |
| Tomcat | =7.0.1 | |
| Tomcat | =7.0.2 | |
| Tomcat | =7.0.5 | |
| Tomcat | =7.0.0 | |
| Tomcat | =7.0.4 | |
| Tomcat | =7.0.3 | |
| Tomcat | =6.0.6 | |
| Tomcat | =6.0.11 | |
| Tomcat | =6.0.7 | |
| Tomcat | =6.0.4 | |
| Tomcat | =6.0.15 | |
| Tomcat | =6.0.20 | |
| Tomcat | =6.0.10 | |
| Tomcat | =6.0.29 | |
| Tomcat | =6.0.3 | |
| Tomcat | =6.0.9 | |
| Tomcat | =6.0.24 | |
| Tomcat | =6.0.17 | |
| Tomcat | =6.0 | |
| Tomcat | =6.0.28 | |
| Tomcat | =6.0.0 | |
| Tomcat | =6.0.14 | |
| Tomcat | =6.0.1 | |
| Tomcat | =6.0.12 | |
| Tomcat | =6.0.18 | |
| Tomcat | =6.0.5 | |
| Tomcat | =6.0.2 | |
| Tomcat | =6.0.13 | |
| Tomcat | =6.0.26 | |
| Tomcat | =6.0.19 | |
| Tomcat | =6.0.27 | |
| Tomcat | =6.0.16 | |
| Tomcat | =6.0.8 | |
| Tomcat | =5.5.27 | |
| Tomcat | =5.5.18 | |
| Tomcat | =5.5.12 | |
| Tomcat | =5.5.14 | |
| Tomcat | =5.5.10 | |
| Tomcat | =5.5.4 | |
| Tomcat | =5.5.7 | |
| Tomcat | =5.5.1 | |
| Tomcat | =5.5.11 | |
| Tomcat | =5.5.28 | |
| Tomcat | =5.5.6 | |
| Tomcat | =5.5.26 | |
| Tomcat | =5.5.20 | |
| Tomcat | =5.5.15 | |
| Tomcat | =5.5.5 | |
| Tomcat | =5.5.30 | |
| Tomcat | =5.5.21 | |
| Tomcat | =5.5.22 | |
| Tomcat | =5.5.3 | |
| Tomcat | =5.5.31 | |
| Tomcat | =5.5.9 | |
| Tomcat | =5.5.25 | |
| Tomcat | =5.5.2 | |
| Tomcat | =5.5.0 | |
| Tomcat | =5.5.13 | |
| Tomcat | =5.5.24 | |
| Tomcat | =5.5.8 | |
| Tomcat | =5.5.16 | |
| Tomcat | =5.5.17 | |
| Tomcat | =5.5.29 | |
| Tomcat | =5.5.19 | |
| Tomcat | =5.5.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32
- http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30
- http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0077.html
- http://svn.apache.org/viewvc?rev=1057518&view=rev
- http://svn.apache.org/viewvc?rev=1057270&view=rev
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=675794
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=675795
- https://rhn.redhat.com/errata/RHSA-2011-0791.html
- https://rhn.redhat.com/errata/RHSA-2011-0896.html
- https://rhn.redhat.com/errata/RHSA-2011-0897.html
- https://rhn.redhat.com/errata/RHSA-2011-1845.html
- https://bugzilla.redhat.com/show_bug.cgi?id=675786
- http://www.securityfocus.com/archive/1/516209/30/90/threaded
- http://www.securityfocus.com/bid/46174
- http://www.securitytracker.com/id?1025026
- http://www.vupen.com/english/advisories/2011/0376
- http://www.debian.org/security/2011/dsa-2160
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:030
- http://secunia.com/advisories/43192
- http://www.redhat.com/support/errata/RHSA-2011-0896.html
- http://www.redhat.com/support/errata/RHSA-2011-0791.html
- http://www.redhat.com/support/errata/RHSA-2011-0897.html
- http://securityreason.com/securityalert/8093
- http://support.apple.com/kb/HT5002
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
- http://secunia.com/advisories/45022
- http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html
- http://www.redhat.com/support/errata/RHSA-2011-1845.html
- http://marc.info/?l=bugtraq&m=132215163318824&w=2
- http://marc.info/?l=bugtraq&m=136485229118404&w=2
- http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
- http://marc.info/?l=bugtraq&m=139344343412337&w=2
- http://secunia.com/advisories/57126
- http://marc.info/?l=bugtraq&m=130168502603566&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878
- https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
- http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_%28released_14_Jan_2011%29
- https://nvd.nist.gov/vuln/detail/CVE-2011-0013
- https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
- https://access.redhat.com/errata/RHSA-2011:0791
- https://access.redhat.com/errata/RHSA-2011:0896
- https://access.redhat.com/errata/RHSA-2011:0897
- https://access.redhat.com/errata/RHSA-2011:1845
- https://access.redhat.com/security/cve/CVE-2011-0013
- https://github.com/apache/tomcat/commit/58223c5ecc0751c3642c810f291b8f033d33b97f
- https://github.com/apache/tomcat55/commit/863d77c7d321245de019ac32252828e0a025c5b4
- https://web.archive.org/web/20111227000129/http://secunia.com/advisories/45022
- https://web.archive.org/web/20111229163935/http://secunia.com/advisories/43192
- https://web.archive.org/web/20120126065143/http://www.securityfocus.com/archive/1/516209/30/90/threaded
- https://web.archive.org/web/20120126070320/http://www.securitytracker.com/id?1025026
- https://web.archive.org/web/20120213130147/http://www.securityfocus.com/bid/46174
- https://web.archive.org/web/20151017023138/http://secunia.com/advisories/57126
- https://github.com/advisories/GHSA-3p86-xgrq-m6p6 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2011-0013?
CVE-2011-0013 is classified as a moderate severity cross-site scripting (XSS) vulnerability.
How do I fix CVE-2011-0013?
To fix CVE-2011-0013, upgrade your Apache Tomcat installation to version 5.5.32, 6.0.30, or later.
What software versions are affected by CVE-2011-0013?
CVE-2011-0013 affects Apache Tomcat versions 5.5.0 to 5.5.31, 6.0.0 to 6.0.29, and 7.0.0 to 7.0.2.
What type of vulnerability is CVE-2011-0013?
CVE-2011-0013 is a cross-site scripting (XSS) vulnerability that enables script execution in the HTML Manager.
Who is impacted by CVE-2011-0013?
Administrators using affected versions of Apache Tomcat may be at risk when viewing Manager pages.
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3p86-xgrq-m6p6
- alias/CVE-2011-0013
- agent/software-canonical-lookup
- agent/references
- agent/remedy
- agent/severity
- agent/description
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- agent/weakness
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- package-manager/maven
- vendor/apache
- canonical/tomcat
- version/tomcat/7.0.1
- version/tomcat/7.0.2
- version/tomcat/7.0.5
- version/tomcat/7.0.0
- version/tomcat/7.0.4
- version/tomcat/7.0.3
- version/tomcat/6.0.6
- version/tomcat/6.0.11
- version/tomcat/6.0.7
- version/tomcat/6.0.4
- version/tomcat/6.0.15
- version/tomcat/6.0.20
- version/tomcat/6.0.10
- version/tomcat/6.0.29
- version/tomcat/6.0.3
- version/tomcat/6.0.9
- version/tomcat/6.0.24
- version/tomcat/6.0.17
- version/tomcat/6.0
- version/tomcat/6.0.28
- version/tomcat/6.0.0
- version/tomcat/6.0.14
- version/tomcat/6.0.1
- version/tomcat/6.0.12
- version/tomcat/6.0.18
- version/tomcat/6.0.5
- version/tomcat/6.0.2
- version/tomcat/6.0.13
- version/tomcat/6.0.26
- version/tomcat/6.0.19
- version/tomcat/6.0.27
- version/tomcat/6.0.16
- version/tomcat/6.0.8
- version/tomcat/5.5.27
- version/tomcat/5.5.18
- version/tomcat/5.5.12
- version/tomcat/5.5.14
- version/tomcat/5.5.10
- version/tomcat/5.5.4
- version/tomcat/5.5.7
- version/tomcat/5.5.1
- version/tomcat/5.5.11
- version/tomcat/5.5.28
- version/tomcat/5.5.6
- version/tomcat/5.5.26
- version/tomcat/5.5.20
- version/tomcat/5.5.15
- version/tomcat/5.5.5
- version/tomcat/5.5.30
- version/tomcat/5.5.21
- version/tomcat/5.5.22
- version/tomcat/5.5.3
- version/tomcat/5.5.31
- version/tomcat/5.5.9
- version/tomcat/5.5.25
- version/tomcat/5.5.2
- version/tomcat/5.5.0
- version/tomcat/5.5.13
- version/tomcat/5.5.24
- version/tomcat/5.5.8
- version/tomcat/5.5.16
- version/tomcat/5.5.17
- version/tomcat/5.5.29
- version/tomcat/5.5.19
- version/tomcat/5.5.23