// For flags

CVE-2007-2449

Apache Tomcat 6.0.13 - JSP Example Web Applications Cross-Site Scripting

Severity Score

6.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.

Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en ciertos ficheros JSP en la aplicación web de ejemplo en el Apache Tomcat 4.0.0 hasta el 4.0.6, 4.1.0 hasta el 4.1.36, 5.0.0 hasta el 5.0.30, 5.5.0 hasta el 5.5.24 y el 6.0.0 hasta el 6.0.13 permiten a atacantes remotos la inyección de secuencias de comandos web o HTML de su elección a través de la porción de URI después del caracter ';', como lo demostrado utilizando una URI que contenía una secuencia "snp/snoop.jsp;".

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2007-05-02 CVE Reserved
  • 2007-06-14 CVE Published
  • 2007-06-14 First Exploit
  • 2024-08-07 CVE Updated
  • 2025-04-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (43)
URL Tag Source
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx X_refsource_confirm
http://osvdb.org/36080 Vdb Entry
http://secunia.com/advisories/26076 Third Party Advisory
http://secunia.com/advisories/27037 Third Party Advisory
http://secunia.com/advisories/27727 Third Party Advisory
http://secunia.com/advisories/29392 Third Party Advisory
http://secunia.com/advisories/30802 Third Party Advisory
http://secunia.com/advisories/31493 Third Party Advisory
http://secunia.com/advisories/33668 Third Party Advisory
http://securityreason.com/securityalert/2804 Third Party Advisory
http://support.apple.com/kb/HT2163 X_refsource_confirm
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 X_refsource_confirm
http://tomcat.apache.org/security-4.html X_refsource_confirm
http://tomcat.apache.org/security-5.html X_refsource_confirm
http://www.securityfocus.com/archive/1/471351/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/500396/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/500412/100/0/threaded Mailing List
http://www.securityfocus.com/bid/24476 Vdb Entry
http://www.securitytracker.com/id?1018245 Vdb Entry
http://www.vupen.com/english/advisories/2007/2213 Vdb Entry
http://www.vupen.com/english/advisories/2007/3386 Vdb Entry
http://www.vupen.com/english/advisories/2008/1981/references Vdb Entry
http://www.vupen.com/english/advisories/2009/0233 Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/34869 Vdb Entry
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10578 Signature
URL Date SRC
https://www.exploit-db.com/exploits/30189 2007-06-14
URL Date SRC
http://tomcat.apache.org/security-6.html 2023-11-07
URL Date SRC
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 2023-11-07
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2008-0630.html 2023-11-07
http://www.mandriva.com/security/advisories?name=MDKSA-2007:241 2023-11-07
http://www.redhat.com/support/errata/RHSA-2007-0569.html 2023-11-07
http://www.redhat.com/support/errata/RHSA-2008-0261.html 2023-11-07
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html 2023-11-07
https://access.redhat.com/security/cve/CVE-2007-2449 2008-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=244804 2008-08-13
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 <= 4.1.36
Search vendor "Apache" for product "Tomcat" and version " <= 4.1.36"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.0.0
Search vendor "Apache" for product "Tomcat" and version "4.0.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.0.1
Search vendor "Apache" for product "Tomcat" and version "4.0.1"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.0.2
Search vendor "Apache" for product "Tomcat" and version "4.0.2"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.0.3
Search vendor "Apache" for product "Tomcat" and version "4.0.3"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.0.4
Search vendor "Apache" for product "Tomcat" and version "4.0.4"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.0.5
Search vendor "Apache" for product "Tomcat" and version "4.0.5"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.0
Search vendor "Apache" for product "Tomcat" and version "5.0.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.1
Search vendor "Apache" for product "Tomcat" and version "5.0.1"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.2
Search vendor "Apache" for product "Tomcat" and version "5.0.2"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.3
Search vendor "Apache" for product "Tomcat" and version "5.0.3"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.4
Search vendor "Apache" for product "Tomcat" and version "5.0.4"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.5
Search vendor "Apache" for product "Tomcat" and version "5.0.5"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.6
Search vendor "Apache" for product "Tomcat" and version "5.0.6"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.7
Search vendor "Apache" for product "Tomcat" and version "5.0.7"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.8
Search vendor "Apache" for product "Tomcat" and version "5.0.8"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.9
Search vendor "Apache" for product "Tomcat" and version "5.0.9"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.10
Search vendor "Apache" for product "Tomcat" and version "5.0.10"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.11
Search vendor "Apache" for product "Tomcat" and version "5.0.11"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.12
Search vendor "Apache" for product "Tomcat" and version "5.0.12"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.13
Search vendor "Apache" for product "Tomcat" and version "5.0.13"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.14
Search vendor "Apache" for product "Tomcat" and version "5.0.14"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.15
Search vendor "Apache" for product "Tomcat" and version "5.0.15"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.16
Search vendor "Apache" for product "Tomcat" and version "5.0.16"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.17
Search vendor "Apache" for product "Tomcat" and version "5.0.17"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.18
Search vendor "Apache" for product "Tomcat" and version "5.0.18"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.19
Search vendor "Apache" for product "Tomcat" and version "5.0.19"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.21
Search vendor "Apache" for product "Tomcat" and version "5.0.21"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.22
Search vendor "Apache" for product "Tomcat" and version "5.0.22"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.23
Search vendor "Apache" for product "Tomcat" and version "5.0.23"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.24
Search vendor "Apache" for product "Tomcat" and version "5.0.24"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.25
Search vendor "Apache" for product "Tomcat" and version "5.0.25"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.26
Search vendor "Apache" for product "Tomcat" and version "5.0.26"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.27
Search vendor "Apache" for product "Tomcat" and version "5.0.27"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.28
Search vendor "Apache" for product "Tomcat" and version "5.0.28"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.29
Search vendor "Apache" for product "Tomcat" and version "5.0.29"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.0.30
Search vendor "Apache" for product "Tomcat" and version "5.0.30"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.0
Search vendor "Apache" for product "Tomcat" and version "5.5.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.1
Search vendor "Apache" for product "Tomcat" and version "5.5.1"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.2
Search vendor "Apache" for product "Tomcat" and version "5.5.2"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.3
Search vendor "Apache" for product "Tomcat" and version "5.5.3"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.4
Search vendor "Apache" for product "Tomcat" and version "5.5.4"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.5
Search vendor "Apache" for product "Tomcat" and version "5.5.5"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.6
Search vendor "Apache" for product "Tomcat" and version "5.5.6"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.7
Search vendor "Apache" for product "Tomcat" and version "5.5.7"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.8
Search vendor "Apache" for product "Tomcat" and version "5.5.8"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.9
Search vendor "Apache" for product "Tomcat" and version "5.5.9"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.10
Search vendor "Apache" for product "Tomcat" and version "5.5.10"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.11
Search vendor "Apache" for product "Tomcat" and version "5.5.11"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.12
Search vendor "Apache" for product "Tomcat" and version "5.5.12"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.13
Search vendor "Apache" for product "Tomcat" and version "5.5.13"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.14
Search vendor "Apache" for product "Tomcat" and version "5.5.14"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.15
Search vendor "Apache" for product "Tomcat" and version "5.5.15"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.16
Search vendor "Apache" for product "Tomcat" and version "5.5.16"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.17
Search vendor "Apache" for product "Tomcat" and version "5.5.17"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.18
Search vendor "Apache" for product "Tomcat" and version "5.5.18"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.19
Search vendor "Apache" for product "Tomcat" and version "5.5.19"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.20
Search vendor "Apache" for product "Tomcat" and version "5.5.20"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.21
Search vendor "Apache" for product "Tomcat" and version "5.5.21"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.22
Search vendor "Apache" for product "Tomcat" and version "5.5.22"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.0
Search vendor "Apache" for product "Tomcat" and version "6.0.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.1
Search vendor "Apache" for product "Tomcat" and version "6.0.1"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.2
Search vendor "Apache" for product "Tomcat" and version "6.0.2"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.3
Search vendor "Apache" for product "Tomcat" and version "6.0.3"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.4
Search vendor "Apache" for product "Tomcat" and version "6.0.4"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.5
Search vendor "Apache" for product "Tomcat" and version "6.0.5"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.6
Search vendor "Apache" for product "Tomcat" and version "6.0.6"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.7
Search vendor "Apache" for product "Tomcat" and version "6.0.7"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.8
Search vendor "Apache" for product "Tomcat" and version "6.0.8"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.10
Search vendor "Apache" for product "Tomcat" and version "6.0.10"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.11
Search vendor "Apache" for product "Tomcat" and version "6.0.11"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.12
Search vendor "Apache" for product "Tomcat" and version "6.0.12"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.13
Search vendor "Apache" for product "Tomcat" and version "6.0.13"
-
Affected