CVE-2008-1947
Tomcat host manager xss - name field
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.
Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Apache Tomcat v5.5.9 a la v5.5.26 y v6.0.0 a la v6.0.16, permite a atacantes remotos inyectar secuencias de comandos web y HTML de su elección a través del parámetro name (también conocido como el atributo hostname) al host-manager/html/add.
A number of vulnerabilities have been discovered in the Apache Tomcat server. The default catalina.policy in the JULI logging component did not restrict certain permissions for web applications which could allow a remote attacker to modify logging configuration options and overwrite arbitrary files. A cross-site scripting vulnerability was found in the HttpServletResponse.sendError() method which could allow a remote attacker to inject arbitrary web script or HTML via forged HTTP headers. A cross-site scripting vulnerability was found in the host manager application that could allow a remote attacker to inject arbitrary web script or HTML via the hostname parameter. A traversal vulnerability was found when using a RequestDispatcher in combination with a servlet or JSP that could allow a remote attacker to utilize a specially-crafted request parameter to access protected web resources. A traversal vulnerability was found when the 'allowLinking' and 'URIencoding' settings were actived which could allow a remote attacker to use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process. The updated packages have been patched to correct these issues.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2008-04-24 CVE Reserved
- 2008-06-03 CVE Published
- 2008-06-03 First Exploit
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (55)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/66931 | 2008-06-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.9 Search vendor "Apache" for product "Tomcat" and version "5.5.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.10 Search vendor "Apache" for product "Tomcat" and version "5.5.10" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.11 Search vendor "Apache" for product "Tomcat" and version "5.5.11" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.12 Search vendor "Apache" for product "Tomcat" and version "5.5.12" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.13 Search vendor "Apache" for product "Tomcat" and version "5.5.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.14 Search vendor "Apache" for product "Tomcat" and version "5.5.14" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.15 Search vendor "Apache" for product "Tomcat" and version "5.5.15" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.16 Search vendor "Apache" for product "Tomcat" and version "5.5.16" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.17 Search vendor "Apache" for product "Tomcat" and version "5.5.17" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.18 Search vendor "Apache" for product "Tomcat" and version "5.5.18" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.19 Search vendor "Apache" for product "Tomcat" and version "5.5.19" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.20 Search vendor "Apache" for product "Tomcat" and version "5.5.20" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.21 Search vendor "Apache" for product "Tomcat" and version "5.5.21" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.22 Search vendor "Apache" for product "Tomcat" and version "5.5.22" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.23 Search vendor "Apache" for product "Tomcat" and version "5.5.23" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.24 Search vendor "Apache" for product "Tomcat" and version "5.5.24" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.25 Search vendor "Apache" for product "Tomcat" and version "5.5.25" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.26 Search vendor "Apache" for product "Tomcat" and version "5.5.26" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.0 Search vendor "Apache" for product "Tomcat" and version "6.0.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.1 Search vendor "Apache" for product "Tomcat" and version "6.0.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.2 Search vendor "Apache" for product "Tomcat" and version "6.0.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.3 Search vendor "Apache" for product "Tomcat" and version "6.0.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.4 Search vendor "Apache" for product "Tomcat" and version "6.0.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.5 Search vendor "Apache" for product "Tomcat" and version "6.0.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.6 Search vendor "Apache" for product "Tomcat" and version "6.0.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.7 Search vendor "Apache" for product "Tomcat" and version "6.0.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.8 Search vendor "Apache" for product "Tomcat" and version "6.0.8" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.9 Search vendor "Apache" for product "Tomcat" and version "6.0.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.10 Search vendor "Apache" for product "Tomcat" and version "6.0.10" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.11 Search vendor "Apache" for product "Tomcat" and version "6.0.11" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.12 Search vendor "Apache" for product "Tomcat" and version "6.0.12" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.13 Search vendor "Apache" for product "Tomcat" and version "6.0.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.14 Search vendor "Apache" for product "Tomcat" and version "6.0.14" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.15 Search vendor "Apache" for product "Tomcat" and version "6.0.15" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.16 Search vendor "Apache" for product "Tomcat" and version "6.0.16" | - |
Affected
| ||||||