CVSS: 4.3EPSS: 20%CPEs: 17EXPL: 0CVE-2007-3383
https://notcve.org/view.php?id=CVE-2007-3383
Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages. Vulnerabilidad de seuencia de comandos en sitios cruzados en SendMailServlet en los ejemplos de aplicaciones web (examples/jsp/mail/sendmail.jsp) en Apache Tomcat 4.0.0 hasta la 4.0.6 y 4.1.0 hasta la 4.1.36 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo From y posiblemente otros campos, relacionado con la generación de mensajes de error. • http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html http://osvdb.org/39000 http://seclists.org/fulldisclosure/2007/Jul/0448.html http://secunia.com/advisories/30802 http://securityreason.com/securityalert/2918 http://support.apple.com/kb/HT2163 http://tomcat.apache.org/security-4.html http://www.kb.cert.org/vuls/id/862600 http://www.securityfocus.com/archive/1/474413/100/0/threaded http://www.securityfocus.com/bid/24999 http://www.vupen.co •
CVSS: 3.5EPSS: 3%CPEs: 88EXPL: 0CVE-2007-2450 – tomcat host manager XSS
https://notcve.org/view.php?id=CVE-2007-2450
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors. Múltilples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en las aplicaciones web (1) Manager y (2) Host Manager en Apache Tomcat 4.0.0 hasta la 4.0.6, 4.1.0 hasta la 4.1.36, 5.0.0 hasta la 5.0.30, 5.5.0 hasta la 5.5.24, y 6.0.0 hasta la 6.0.13 permite a usuarios remotos validados inyectar secuencias de comandos web o HTML a través de un parámetro name en manager/html/upload, y otros vectores no especificados. • http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://jvn.jp/jp/JVN%2307100457/index.html http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://secunia.com/advisories/25678 http://secunia.com/advisories/26076 http://secunia.com/advisories/27037 http://secunia.com/advisories/27727 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 95%CPEs: 73EXPL: 1CVE-2007-2449 – Apache Tomcat 6.0.13 - JSP Example Web Applications Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-2449
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en ciertos ficheros JSP en la aplicación web de ejemplo en el Apache Tomcat 4.0.0 hasta el 4.0.6, 4.1.0 hasta el 4.1.36, 5.0.0 hasta el 5.0.30, 5.5.0 hasta el 5.5.24 y el 6.0.0 hasta el 6.0.13 permiten a atacantes remotos la inyección de secuencias de comandos web o HTML de su elección a través de la porción de URI después del caracter ';', como lo demostrado utilizando una URI que contenía una secuencia "snp/snoop.jsp;". Apache Tomcat versions 4.0.0 to 4.0.6, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, and 6.0.0 to 6.0.13 suffer from a cross site scripting flaw in their JSP examples. • https://www.exploit-db.com/exploits/30189 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://osvdb.org/36080 http://rhn.redhat.com/errata/RHSA-2008-0630.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 3%CPEs: 1EXPL: 0CVE-2007-1860 – mod_jk sends decoded URL to tomcat
https://notcve.org/view.php?id=CVE-2007-1860
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450. El componente mod_jk en Apache Tomcat JK Web Server Connector versión 1.2. x anterior a 1.2.23, descodifica las URL de petición dentro del servidor Apache HTTP antes de pasar la URL a Tomcat, lo que permite a los atacantes remotos acceder a páginas protegidas por medio de un JkMount prefijado y creado, posiblemente involucrando secuencias double-encoded.. (punto punto) y el salto de directorio (directory traversal), un problema relacionado a CVE-2007-0450. • http://docs.info.apple.com/article.html?artnum=306172 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/25383 http://secunia.com/advisories/25701 http://secunia.com/advisories/26235 http://secunia.com/advisories/26512 http://secunia.com/advisories/27037 http://secunia.com/advisorie • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 10%CPEs: 52EXPL: 2CVE-2007-1355 – Apache Tomcat 6.0.10 - Documentation Sample Application Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-1355
Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en la aplicación ejemplo appdev/sample/web/hello.jsp en Tomcat 4.0.0 hasta la 4.0.6, 4.1.0 hasta la 4.1.36, 5.0.0 hasta la 5.0.30, 5.5.0 hasta la5.5.23, y 6.0.0 hasta la 6.0.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro test y vectores no especificados. The Tomcat documentation web application includes a sample application that contains multiple cross site scripting vulnerabilities. Versions affected include Tomcat 4.0.0 to 4.0.6, Tomcat 4.1.0 to 4.1.36, Tomcat 5.0.0 to 5.0.30, Tomcat 5.5.0 to 5.5.23, and Tomcat 6.0.0 to 6.0.10. • https://www.exploit-db.com/exploits/30052 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html http://osvdb.org/34875 http://rhn.redhat.com/errata/RHSA-2008-0630.html http://secunia.com/advisories/27037 http://secunia.com/advisories/27727 http://secunia.com/advisories/30802 http://secunia.com/advisories&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •