LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

tomcat: cross-site scripting

Package(s):tomcat CVE #(s):CVE-2007-2449 CVE-2007-2450
Created:July 17, 2007 Updated:February 17, 2009
Description: Some JSPs within the 'examples' web application did not escape user provided data. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks (CVE-2007-2449).

Note: it is recommended the 'examples' web application not be installed on a production system.

The Manager and Host Manager web applications did not escape user provided data. If a user is logged in to the Manager or Host Manager web application, an attacker could perform a cross-site scripting attack (CVE-2007-2450).

Alerts:
SuSE SUSE-SR:2009:004 2009-02-17
Fedora FEDORA-2008-8130 2008-09-16
SuSE SUSE-SR:2008:007 2008-03-28
Fedora FEDORA-2008-1603 2008-02-13
Fedora FEDORA-2008-1467 2008-02-13
Debian DSA-1468-1 2008-01-20
Mandriva MDKSA-2007:241 2007-12-10
Fedora FEDORA-2007-3474 2007-11-17
Fedora FEDORA-2007-3456 2007-11-17
Red Hat RHSA-2007:0569-01 2007-07-17
(Log in to post comments)

tomcat: cross-site scripting

Posted Jan 15, 2008 21:14 UTC (Tue) by kreutzm (guest, #4700) [Link]

Debian Sarge and Etch are not vulnerable.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds