Improper Neutralization of Input During Web Page Generation in Apache Tomcat

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.

References

https://nvd.nist.gov/vuln/detail/CVE-2011-0013
https://bugzilla.redhat.com/show_bug.cgi?id=675786
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269
http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
http://marc.info/?l=bugtraq&m=130168502603566&w=2
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://securityreason.com/securityalert/8093
http://support.apple.com/kb/HT5002
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30
http://www.debian.org/security/2011/dsa-2160
https://access.redhat.com/errata/RHSA-2011:0791
https://access.redhat.com/errata/RHSA-2011:0896
https://access.redhat.com/errata/RHSA-2011:0897
https://access.redhat.com/errata/RHSA-2011:1845
https://access.redhat.com/security/cve/CVE-2011-0013
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_%28released_14_Jan_2011%29
http://www.mandriva.com/security/advisories?name=MDVSA-2011:030
apache/tomcat@58223c5
apache/tomcat55@863d77c
https://web.archive.org/web/20111227000129/http://secunia.com/advisories/45022
https://web.archive.org/web/20111229163935/http://secunia.com/advisories/43192
https://web.archive.org/web/20120126065143/http://www.securityfocus.com/archive/1/516209/30/90/threaded
https://web.archive.org/web/20120126070320/http://www.securitytracker.com/id?1025026
https://web.archive.org/web/20120213130147/http://www.securityfocus.com/bid/46174
https://web.archive.org/web/20151017023138/http://secunia.com/advisories/57126

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE ID

GHSA ID

Source code

Credits

Uh oh!