4.3
CVSSv2

CVE-2008-1947

Published: 04/06/2008 Updated: 13/02/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 up to and including 5.5.26 and 6.0.0 up to and including 6.0.16 allows remote malicious users to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 5.5.18

apache tomcat 6.0.6

apache tomcat 6.0.11

apache tomcat 5.5.12

apache tomcat 5.5.14

apache tomcat 5.5.10

apache tomcat 6.0.7

apache tomcat 5.5.11

apache tomcat 6.0.4

apache tomcat 5.5.26

apache tomcat 5.5.20

apache tomcat 5.5.15

apache tomcat 6.0.15

apache tomcat 5.5.21

apache tomcat 5.5.22

apache tomcat 6.0.10

apache tomcat 6.0.3

apache tomcat 6.0.9

apache tomcat 5.5.9

apache tomcat 5.5.25

apache tomcat 6.0.0

apache tomcat 6.0.14

apache tomcat 5.5.13

apache tomcat 6.0.1

apache tomcat 6.0.12

apache tomcat 5.5.24

apache tomcat 5.5.16

apache tomcat 6.0.5

apache tomcat 5.5.17

apache tomcat 5.5.19

apache tomcat 6.0.2

apache tomcat 6.0.13

apache tomcat 5.5.23

apache tomcat 6.0.16

apache tomcat 6.0.8

Vendor Advisories

It was discovered that the Host Manager web application performed insufficient input sanitising, which could lead to cross-site scripting For the stable distribution (etch), this problem has been fixed in version 5520-2etch3 For the unstable distribution (sid), this problem has been fixed in version 5526-3 We recommend that you upgrade your ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix multiple security issues are now availablefor Red Hat Developer Suite 3This update has been rated as having important security impact by the RedHat Security Response Team D ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix several security issues are now availablefor Red Hat Application Server v2This update has been rated as having important security impact by the RedHat Security Response Team ...
Synopsis Low: tomcat security update for Red Hat Network Satellite Server Type/Severity Security Advisory: Low Topic Updated tomcat packages that fix multiple security issues are now availablefor Red Hat Network Satellite ServerThis update has been rated as having low security impact by the RedHat Security ...

Exploits

Tomcat versions 559 through 5526 and versions 600 through 6016 suffer from a host-manager cross site scripting vulnerability ...

References

CWE-79http://marc.info/?l=tomcat-user&m=121244319501278&w=2http://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://secunia.com/advisories/30500http://www.debian.org/security/2008/dsa-1593http://secunia.com/advisories/30592http://secunia.com/advisories/30967http://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0648.htmlhttp://www.securitytracker.com/id?1020624http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.htmlhttp://www.securityfocus.com/bid/29502http://secunia.com/advisories/31639http://secunia.com/advisories/31891https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.htmlhttp://secunia.com/advisories/31865http://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0864.htmlhttp://www.securityfocus.com/bid/31681http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://secunia.com/advisories/32222http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://marc.info/?l=bugtraq&m=123376588623823&w=2http://secunia.com/advisories/33797http://secunia.com/advisories/32120http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://secunia.com/advisories/32266http://secunia.com/advisories/34013http://secunia.com/advisories/33999http://www.vupen.com/english/advisories/2009/0503http://www.vmware.com/security/advisories/VMSA-2009-0002.htmlhttp://www.vupen.com/english/advisories/2009/3316http://secunia.com/advisories/37460http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/0320http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2008/1725http://www.vupen.com/english/advisories/2008/2780http://marc.info/?l=bugtraq&m=139344343412337&w=2http://secunia.com/advisories/57126https://exchange.xforce.ibmcloud.com/vulnerabilities/42816https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534http://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/archive/1/492958/100/0/threadedhttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://nvd.nist.govhttps://www.debian.org/security/./dsa-1593