Page 7 of 36 results (0.007 seconds)

CVSS: 4.3EPSS: 10%CPEs: 52EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en la aplicación ejemplo appdev/sample/web/hello.jsp en Tomcat 4.0.0 hasta la 4.0.6, 4.1.0 hasta la 4.1.36, 5.0.0 hasta la 5.0.30, 5.5.0 hasta la5.5.23, y 6.0.0 hasta la 6.0.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro test y vectores no especificados. The Tomcat documentation web application includes a sample application that contains multiple cross site scripting vulnerabilities. Versions affected include Tomcat 4.0.0 to 4.0.6, Tomcat 4.1.0 to 4.1.36, Tomcat 5.0.0 to 5.0.30, Tomcat 5.5.0 to 5.5.23, and Tomcat 6.0.0 to 6.0.10. • https://www.exploit-db.com/exploits/30052 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html http://osvdb.org/34875 http://rhn.redhat.com/errata/RHSA-2008-0630.html http://secunia.com/advisories/27037 http://secunia.com/advisories/27727 http://secunia.com/advisories/30802 http://secunia.com/advisories&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 2.6EPSS: 0%CPEs: 43EXPL: 0

The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts. La configuración de cifrado SSL por defecto en Apache Tomcat 4.1.28 hasta 4.1.31, 5.0.0 hasta 5.0.30, y 5.5.0 hasta 5.5.17 utiliza determinadas claves inseguras, incluyendo la clave anónima, lo cual permite a atacantes remotos obtener información sensible o tener otros impactos no especificados. • http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html http://marc.info/?l=bugtraq&m=133114899904925&w=2 http://osvdb.org/34882 http://secunia.com/advisories/29392 http://secunia.com/advisories/33668 http://secunia.com/advisories/44183 http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 http://tomcat.ap •

CVSS: 4.3EPSS: 95%CPEs: 54EXPL: 1

Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el ejemplo de aplicación de calendario en Apache Tomcat versión 4.0.0 hasta 4.0.6, versión 4.1.0 hasta 4.1.31, versión 5.0.0 hasta 5.0.30 y versión 5.5.0 hasta 5.5.15 permite a atacantes remotos inyectar script web o HTML arbitrarias por medio del parámetro time hacia el archivo cal2.jsp y posiblemente otros vectores no especificados. NOTA: esto puede estar relacionado con CVE-2006-0254.1. • https://www.exploit-db.com/exploits/30563 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://osvdb.org/34888 http://secunia.com/advisories/29242 http://secunia.com/advisories/33668 http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 http://tomcat.apache.org/security-4.html http://tomcat.apache • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries. • http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065598.html http://marc.info/?l=tomcat-dev&m=110476790331536&w=2 http://marc.info/?l=tomcat-dev&m=110477195116951&w=2 http://rhn.redhat.com/errata/RHSA-2008-0630.html http://secunia.com/advisories/13737 http://secunia.com/advisories/31493 http://securitytracker.com/id?1012793 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://www.oliverkarow.de/research/jakarta556_ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 0

The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information. • http://tomcat.apache.org/security-4.html http://www.securityfocus.com/bid/28483 https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •