Page 8 of 50 results (0.016 seconds)

CVSS: 4.3EPSS: 27%CPEs: 85EXPL: 0

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." Una vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en jsp/cal/cal2.jsp en la aplicación 'calendar' de los ejemplos de aplicaciones Web de Apache Tomcat 4.1.0 a 4.1.39, 5.5.0 a 5.5.27 y 6.0.0 a 6.0.18 permite a atacantes remotos inyectar HTML o scripts web arbitrarios a través del parámetro 'time', en relación a un "HTML no válido." The calendar application for Apache Tomcat contains invalid HTML which renders the cross site scripting protection for the time parameter ineffective. An attacker can therefore perform an cross site scripting attack using the time attribute. Version affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39. • http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html http://marc.info/?l=bugtraq&m=127420533226623&w=2 http://marc.info/?l=bugtraq&m=129070310906557&w=2 http://marc.info/?l=bugtraq&m=133469267822771&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://secunia.com/advisories/35685 http://secunia.com/advisories/35788 http://secunia.com/advisories/37460 http://s • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 96%CPEs: 3EXPL: 2

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version. Una vulnerabilidad de salto de directorio (Directory Traversal) en Apache Tomcat versión 4.1.0 hasta 4.1.37, versión 5.5.0 hasta 5.5.26 y versión 6.0.0 hasta 6.0.16, cuando están habilitados allowLinking y UTF-8, permite a atacantes remotos leer archivos arbitrarios por medio de secuencias de salto de directorio (Directory Traversal) en el URI, una vulnerabilidad diferente a CVE-2008-2370. NOTA: las versiones anteriores a 6.0.18 se informaron afectadas, pero el aviso del proveedor enumera 6.0.16 como la última versión afectada. ToutVirtual VirtualIQ Pro version 3.2 build 7882 suffers from cross site scripting, cross site request forgery, directory traversal, and code execution vulnerabilities. • https://www.exploit-db.com/exploits/6229 https://www.exploit-db.com/exploits/14489 http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=123376588623823&w=2 http://secunia.com/advisories/31639 http://secunia.com/advisories/31865 http://secunia.com/advisories/31891 http://secunia.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.0EPSS: 10%CPEs: 82EXPL: 2

Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. Apache Tomcat 4.1.0 hasta la 4.1.37, 5.5.0 hasta la 5.5.26 y 6.0.0 hasta la 6.0.16, cuando se utiliza RequestDispatcher, realiza una regularización de ruta antes de eliminar la cadena de consulta desde la URI, lo cual permite a atacantes remotos dirigir ataques de salto de directorio y leer archivos arbitrariamente mediante un .. (punto punto) en un parametro request. • https://www.exploit-db.com/exploits/32137 http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=123376588623823&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/31379 http://secunia.com/advisories/31381 http://secunia.com/advisories/31639 http:/& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 2%CPEs: 3EXPL: 2

Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Apache Tomcat 4.1.0 hasta la 4.1.37, 5.5.0 hasta la 5.5.26 y 6.0.0 hasta la 6.0.16, permite a atacantes remotos inyectar arbitrariamente secuencias de comandos web o HTML a través de una cadena manipulada usada en el argumento message del método HttpServletResponse.sendError. • https://www.exploit-db.com/exploits/32138 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15/ca20090615-02-ca-service-desk-tomcat-cross-site-scripting-vulnerability.aspx http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=123376588623823&w=2 http://marc.info/?l=bugtraq&m=13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 6%CPEs: 35EXPL: 0

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Apache Tomcat v5.5.9 a la v5.5.26 y v6.0.0 a la v6.0.16, permite a atacantes remotos inyectar secuencias de comandos web y HTML de su elección a través del parámetro name (también conocido como el atributo hostname) al host-manager/html/add. Tomcat versions 5.5.9 through 5.5.26 and versions 6.0.0 through 6.0.16 suffer from a host-manager cross site scripting vulnerability. • http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=123376588623823&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://marc.info/?l=tomcat-user&m=121244319501278&w=2 http://secunia.com/advisories/30500 http://secunia.com/advisories/30592 http://secunia.com/advisories/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •