// For flags

CVE-2007-1358

tomcat accept-language xss flaw

Severity Score

2.6
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".

Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ciertas aplicaciones que usan Apache Tomcat 4.0.0 hasta 4.0.6 y 4.1.0 hasta 4.1.34 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante "cabeceras Accept-Language que no cumplen la RFC 2616" artesanales.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2007-03-08 CVE Reserved
  • 2007-05-09 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-08-12 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (40)
URL Tag Source
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx X_refsource_confirm
http://docs.info.apple.com/article.html?artnum=306172 X_refsource_confirm
http://jvn.jp/jp/JVN%2316535199/index.html Third Party Advisory
http://osvdb.org/34881 Vdb Entry
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 X_refsource_confirm
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.html X_refsource_confirm
http://www.securityfocus.com/archive/1/471719/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/500396/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/500412/100/0/threaded Mailing List
http://www.securityfocus.com/bid/24524 Vdb Entry
http://www.securityfocus.com/bid/25159 Vdb Entry
http://www.securitytracker.com/id?1018269 Vdb Entry
http://www.vupen.com/english/advisories/2007/1729 Vdb Entry
http://www.vupen.com/english/advisories/2007/2732 Vdb Entry
http://www.vupen.com/english/advisories/2007/3087 Vdb Entry
http://www.vupen.com/english/advisories/2007/3386 Vdb Entry
http://www.vupen.com/english/advisories/2008/1979/references Vdb Entry
http://www.vupen.com/english/advisories/2009/0233 Vdb Entry
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10679 Signature
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
<= 4.1.31
Search vendor "Apache" for product "Tomcat" and version " <= 4.1.31"
-
Affected
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
4.0.0
Search vendor "Apache" for product "Tomcat" and version "4.0.0"
-
Affected
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
4.0.1
Search vendor "Apache" for product "Tomcat" and version "4.0.1"
-
Affected
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
4.0.2
Search vendor "Apache" for product "Tomcat" and version "4.0.2"
-
Affected
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
4.0.3
Search vendor "Apache" for product "Tomcat" and version "4.0.3"
-
Affected
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
4.0.4
Search vendor "Apache" for product "Tomcat" and version "4.0.4"
-
Affected
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
4.0.5
Search vendor "Apache" for product "Tomcat" and version "4.0.5"
-
Affected
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
4.0.6
Search vendor "Apache" for product "Tomcat" and version "4.0.6"
-
Affected
Apache
Search vendor "Apache"
Tomcat
Search vendor "Apache" for product "Tomcat"
4.1.0
Search vendor "Apache" for product "Tomcat" and version "4.1.0"
-
Affected