Page 17 of 85 results (0.017 seconds)

CVSS: 5.8EPSS: 0%CPEs: 12EXPL: 0

CVE-2011-1419

https://notcve.org/view.php?id=CVE-2011-1419

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. Apache Tomcat v7.x anterior a v7.0.11, cuando web.xml no tiene restricciones de seguridad, no sigue anotaciones ServletSecurity, lo que permite a atacantes remotos evitar las restricciones de acceso a través de peticiones HTTP a una aplicación web. Nota: esta vulnerabilidad existe debido a un parche incompleto para CVE-2011-1088. • http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E http://marc.info/?l=tomcat-user&m=129966773405409&w=2 http://markmail.org/message/lzx5273wsgl5pob6 http://markmail.org/message/yzmyn44f5aetmm2r http://secunia.com/advisories/43684 http://securityreason.com/securityalert/8131 http://svn.apache.org/viewvc?view=revision&revision=1079752 http://tomcat.apache.org/security-7.html http://www.osvdb.org/71027 http://www.securityfocus.com/bid •

CVSS: 4.3EPSS: 0%CPEs: 65EXPL: 1

CVE-2011-0013 – tomcat: XSS vulnerability in HTML Manager interface

https://notcve.org/view.php?id=CVE-2011-0013

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en la interfaz de HTML Manager en Apache Software Foundation Tomcat v7.0 antes de v7.0.6, v5.5 antes de v5.5.32 y v6.0 antes de v6.0.30 permiten a atacantes remotos inyectar secuencias de comandos web o HTML, como se demuestra a través de una etiqueta display-name. Apache Tomcat Manager suffers from a cross site scripting vulnerability. Versions 7.0.0 through 7.0.5, 6.0.0 through 6.0.29, and 5.5.0 through 5.5.31 are affected. • http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html http://marc.info/?l=bugtraq&m=130168502603566&w=2 http://marc.info/?l=bugtraq&m=132215163318824&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/43192 http://secunia.com/advisories/45022 http://secunia.com/advisories/57126 http://s • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 1%CPEs: 34EXPL: 0

CVE-2011-0534 – tomcat: remote DoS via NIO connector

https://notcve.org/view.php?id=CVE-2011-0534

Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request. Apache Tomcat v7.0.0 hasta v7.0.6 y v6.0.0 hasta v6.0.30 no hace cumplir el límite maxHttpHeaderSize de las solicitudes relacionadas con el conector NIO HTTP, que permite a atacantes remotos provocar una denegación de servicio (OutOfMemoryError) a través de una solicitud manipulada. • http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://osvdb.org/70809 http://secunia.com/advisories/43192 http://secunia.com/advisories/45022 http://secunia.com/advisories/57126 http://securityreason.com/securityalert/8074 http://support.apple.com/kb/HT5002 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098 • CWE-399: Resource Management Errors •

CVSS: 4.0EPSS: 0%CPEs: 63EXPL: 0

CVE-2010-3718 – tomcat: file permission bypass flaw

https://notcve.org/view.php?id=CVE-2010-3718

Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack. Apache Tomcat v7.0.0 hasta v7.0.3, v6.0.x, y v5.5.x, cuando se ejecuta dentro de un SecurityManager no tiene el atributo ServletContext de sólo lectura, lo que permite a las aplicaciones web locales leer y escribir archivos fuera del directorio de trabajo previsto, como se ha demostrado mediante un ataque de salto de directorio. • http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html http://marc.info/?l=bugtraq&m=130168502603566&w=2 http://marc.info/?l=bugtraq&m=132215163318824&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/43192 http://secunia.com/advisories/45022 http://secunia.com/advisories/57126 http://s •

CVSS: 4.3EPSS: 1%CPEs: 20EXPL: 2

CVE-2010-4172 – Apache Tomcat 7.0.4 - 'sort' / 'orderBy' Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2010-4172

Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados en la aplicación Manager en Apache Tomcat v6.0.12 hasta v6.0.29 y v7.0.0 hasta v7.0.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) orderBy o (2) sort a sessionsList.jsp, o una entrada no especificada a (3) sessionDetail.jsp o (4) java/org/apache/catalina/manager/JspHelper.java, relacionado con la utilización de aplicaciones web que no son de confianza. • https://www.exploit-db.com/exploits/35011 http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0285.html http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/42337 http://secunia.com/advisories/43019 http://secunia.com/advisories/45022 http://secunia.com/advisories/57126 http://securitytracker.com/id?1024764 http://support.apple.com/kb/HT5002 http://support.novell&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •