Page 14 of 76 results (0.020 seconds)

CVSS: 4.3EPSS: 2%CPEs: 3EXPL: 2

Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Apache Tomcat 4.1.0 hasta la 4.1.37, 5.5.0 hasta la 5.5.26 y 6.0.0 hasta la 6.0.16, permite a atacantes remotos inyectar arbitrariamente secuencias de comandos web o HTML a través de una cadena manipulada usada en el argumento message del método HttpServletResponse.sendError. • https://www.exploit-db.com/exploits/32138 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15/ca20090615-02-ca-service-desk-tomcat-cross-site-scripting-vulnerability.aspx http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=123376588623823&w=2 http://marc.info/?l=bugtraq&m=13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 6%CPEs: 35EXPL: 0

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Apache Tomcat v5.5.9 a la v5.5.26 y v6.0.0 a la v6.0.16, permite a atacantes remotos inyectar secuencias de comandos web y HTML de su elección a través del parámetro name (también conocido como el atributo hostname) al host-manager/html/add. Tomcat versions 5.5.9 through 5.5.26 and versions 6.0.0 through 6.0.16 suffer from a host-manager cross site scripting vulnerability. • http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=123376588623823&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://marc.info/?l=tomcat-user&m=121244319501278&w=2 http://secunia.com/advisories/30500 http://secunia.com/advisories/30592 http://secunia.com/advisories/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 1%CPEs: 31EXPL: 0

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request. Apache Tomcat de 5.5.11 a 5.5.25 y de 6.0.0 a 6.0.15, cuando se utiliza el conector ARP nativo no maneja correctamente una petición vacía al puerto SSL, lo que permite a atacantes remotos disparar el manejo de "una copia duplicada de una de las peticiones recientes", como se demostró utilizando netcat para enviar la petición vacía. • http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/28878 http://secunia.com/advisories/28915 http://secunia.com/advisories/29711 http://secunia.com/advisories/30676 http://secunia.com/advisories/32222 http://secunia.com/advisories/37460 http://secunia.com/advisories/57126 http://security.gentoo.org/glsa& •

CVSS: 5.0EPSS: 18%CPEs: 3EXPL: 2

Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385. Apache Tomcat 6.0.0 hasta 6.0.14, 5.5.0 hasta 5.5.25, 4.1.36 y 4.1.0 al no manejar adecuadamente secuencias (1) caracteres de dobles comillas (") o (2) secuencias de contrabarra codificadas %5C en un valor de cookie, podría provocar que información sensible como los IDs de sesión sean filtradas a atacantes remotos, así como habilitar ataques de secuestro de sesión. NOTA: este problema existe debido a una arreglo erroneo de CVE-2007-3385. • https://www.exploit-db.com/exploits/31130 http://jvn.jp/jp/JVN%2309470767/index.html http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/28878 http://secunia.com/advisories/28884 http://secunia.com/advisories/28915 http://se • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.8EPSS: 0%CPEs: 11EXPL: 0

Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception. Apache Tomcat 6.0.0 hasta 6.0.15 procesa parámetros en el contexto de una solicitud errónea cuando ocurre una excepción durante el procesamiento del parámetro, lo cual permite a atacantes remotos obtener información sensible, tal como se demostró durante este tratamiento para provocar la excepción. • http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/28834 http://secunia.com/advisories/28915 http://secunia.com/advisories/29711 http://secunia.com/advisories/32222 http://secunia.com/advisories/37460 http://secunia.com/advisories/57126 http://security.gentoo.org/glsa/glsa-200804-10.xml http://securit •