CVSS: 6.8EPSS: 0%CPEs: 93EXPL: 3CVE-2013-6357 – Apache Tomcat 5.5.25 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-6357
04 Nov 2013 — Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require ... • https://packetstorm.news/files/id/123894 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2013-2185 – Tomcat/JBossWeb: Arbitrary file upload via deserialization
https://notcve.org/view.php?id=CVE-2013-2185
04 Sep 2013 — The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications t... • http://openwall.com/lists/oss-security/2014/10/24/12 • CWE-20: Improper Input Validation CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2009-2696 – tomcat: missing fix for CVE-2009-0781
https://notcve.org/view.php?id=CVE-2009-2696
05 Aug 2010 — Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en jsp/cal/cal2.jsp en la aplicación calendario en los ejemplos de... • http://secunia.com/advisories/40813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 24%CPEs: 142EXPL: 3CVE-2009-3548 – Apache Tomcat Manager - Application Upload (Authenticated) Code Execution
https://notcve.org/view.php?id=CVE-2009-3548
12 Nov 2009 — The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges. El instalador de Windows para Apache Tomcat 6.0.0 a 6.0.20, 5.5.0 a 5.5.28, y posiblemente versiones anteriores, usa una contraseña en blanco por defecto para el usuario administrador, lo que permite a atacantes remotos obtener privilegios. Potential security vulnerabilities have been ide... • https://packetstorm.news/files/id/125021 • CWE-255: Credentials Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2008-0128 – tomcat5 SSO cookie login information disclosure
https://notcve.org/view.php?id=CVE-2008-0128
23 Jan 2008 — The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. El valor SingleSignOn (org.apache.catalina.authenticator.SingleSignOn) en Apache Tomcat anterior a 5.5.21 no asigna la bandera segura para la cookie JSESSIONIDSSO en una sesión http, haciéndolo más fácil para at... • https://github.com/ngyanch/4062-1 • CWE-16: Configuration •
CVSS: 7.5EPSS: 14%CPEs: 85EXPL: 1CVE-2007-3382 – Apache Tomcat 6.0.13 - Insecure Cookie Handling Quote Delimiter Session ID Disclosure
https://notcve.org/view.php?id=CVE-2007-3382
14 Aug 2007 — Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks. Apache Tomcat 6.0.0 hasta 6.0.13, 5.5.0 hasta 5.5.24, 5.0.0 hasta 5.0.30, 4.1.0 hasta 4.1.36, y 3.3 hasta 3.3.2 trata las comillas simples ("'") como delimitadores en las cookies, lo cual podría provocar que información se... • https://www.exploit-db.com/exploits/30496 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 11%CPEs: 85EXPL: 0CVE-2007-3385 – tomcat handling of cookie values
https://notcve.org/view.php?id=CVE-2007-3385
14 Aug 2007 — Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. Apache Tomcat 6.0.0 hasta 6.0.13, 5.5.0 hasta 5.5.24, 5.0.0 hasta 5.0.30, 4.1.0 hasta 4.1.36, y 3.3 hasta 3.3.2 no trata adecuadamente la secuencia de caracteres \" en un valor de cookie, lo cual podría provocar ... • http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2007-3384
https://notcve.org/view.php?id=CVE-2007-3384
08 Aug 2007 — Multiple cross-site scripting (XSS) vulnerabilities in examples/servlet/CookieExample in Apache Tomcat 3.3 through 3.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Value field, related to error messages. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en examples/servlet/CookieExample de Apache Tomcat 3.3 hasta 3.3.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante los campos (1) Name o (2)... • http://osvdb.org/39035 •
CVSS: 6.1EPSS: 94%CPEs: 73EXPL: 1CVE-2007-2449 – Apache Tomcat 6.0.13 - JSP Example Web Applications Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-2449
14 Jun 2007 — Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en ciertos ficheros J... • https://www.exploit-db.com/exploits/30189 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 95%CPEs: 54EXPL: 1CVE-2006-7196 – Apache Tomcat 5.5.15 - cal2.jsp Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-7196
09 May 2007 — Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el ejemplo de aplicación de calendario en Apache Tomcat versión 4.0.0 hasta 4.0.6, vers... • https://www.exploit-db.com/exploits/30563 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •