CVSS: 3.7EPSS: 60%CPEs: 9EXPL: 0CVE-2007-1358 – tomcat accept-language xss flaw
https://notcve.org/view.php?id=CVE-2007-1358
09 May 2007 — Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616". Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ciertas aplicaciones que usan Apache Tomcat 4.0.0 hasta 4.0.6 y 4.1.0 hasta 4.1.34 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante "... • http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 0CVE-2005-4838 – tomcat manager example DoS
https://notcve.org/view.php?id=CVE-2005-4838
31 Dec 2005 — Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries. • http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065598.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 86%CPEs: 11EXPL: 0CVE-2005-0808
https://notcve.org/view.php?id=CVE-2005-0808
20 Mar 2005 — Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007. • http://www.hitachi-support.com/security_e/vuls_e/HS05-006_e/index-e.html •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2003-0045
https://notcve.org/view.php?id=CVE-2003-0045
07 Feb 2003 — Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp. Jakarta Tomcat antes de 3.3.1a en ciertos sistemas Windows puede permitir a atacantes remotos causar una denegación de servicio (cuelgue de hebras y consumición de recursos) mediante peticiones a una página JSP conteniendo un nombre de dispositivo MS-DOS, como aux.jsp. • http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2003-0043
https://notcve.org/view.php?id=CVE-2003-0043
07 Feb 2003 — Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file. Jakarta Tomcat anteriores a 3.3.1a, cuando se usa con JDK 1.3.1 o anteriores, usa privilegios que le han sido confiados cuando procesa el fichero web.xml, lo que podría permitir a atacantes remotos leer porciones de algunos ficheros mediante el fichero web.xml • http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a •
CVSS: 7.5EPSS: 5%CPEs: 9EXPL: 1CVE-2003-0042 – Apache Tomcat 3.x - Null Byte Directory / File Disclosure
https://notcve.org/view.php?id=CVE-2003-0042
29 Jan 2003 — Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character. Jakarta Tomcat antes de 3.3.1a, cuando se usa con JDK 1.3.1 o anterior, permite a atacantes remotos listar directorios incluso cuando un index.html u otro fichero presente mediante una URL conteniendo un carácter nulo. • https://www.exploit-db.com/exploits/22205 •
CVSS: 6.8EPSS: 66%CPEs: 10EXPL: 0CVE-2003-0044
https://notcve.org/view.php?id=CVE-2003-0044
29 Jan 2003 — Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML. Vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en las apliaciones ejemplos y ROOT web en Jakarta Tomcat 3.x a 3.3.1a permite a atacantes remotos ejecutar scripts web arbitrarios • http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2002-1895
https://notcve.org/view.php?id=CVE-2002-1895
31 Dec 2002 — The servlet engine in Jakarta Apache Tomcat 3.3 and 4.0.4, when using IIS and the ajp1.3 connector, allows remote attackers to cause a denial of service (crash) via a large number of HTTP GET requests for an MS-DOS device such as AUX, LPT1, CON, or PRN. • http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0020.html •
CVSS: 7.5EPSS: 1%CPEs: 14EXPL: 3CVE-2002-2006 – Apache Tomcat 4.0/4.1 - Servlet Full Path Disclosure
https://notcve.org/view.php?id=CVE-2002-2006
31 Dec 2002 — The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets. • https://www.exploit-db.com/exploits/21412 •
CVSS: 7.5EPSS: 2%CPEs: 19EXPL: 2CVE-2002-1148 – Apache Tomcat 3/4 - 'DefaultServlet' File Disclosure
https://notcve.org/view.php?id=CVE-2002-1148
11 Oct 2002 — The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet. El servlet por defecto (org.apache.catalina.servlets.DefaultServlet) en Tomcat 4.0.4 y 4.1.10 permite a atacantes remotos leer código fuente de ficheros del servidor mediante una petición directa al servlet. • https://www.exploit-db.com/exploits/21853 •