Description

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."

Remediation

References

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

http://marc.info/?l=bugtraq&m=127420533226623&w=2

http://marc.info/?l=bugtraq&m=127420533226623&w=2

http://marc.info/?l=bugtraq&m=129070310906557&w=2

http://marc.info/?l=bugtraq&m=129070310906557&w=2

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://secunia.com/advisories/35685

http://secunia.com/advisories/35788

http://secunia.com/advisories/37460

http://secunia.com/advisories/42368

http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

http://support.apple.com/kb/HT4077

http://tomcat.apache.org/security-4.html

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-6.html

http://www.debian.org/security/2011/dsa-2207

http://www.mandriva.com/security/advisories?name=MDVSA-2009:136

http://www.mandriva.com/security/advisories?name=MDVSA-2009:138

http://www.securityfocus.com/archive/1/501538/100/0/threaded

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.vupen.com/english/advisories/2009/1856

http://www.vupen.com/english/advisories/2009/3316

http://www.vupen.com/english/advisories/2010/3056

https://exchange.xforce.ibmcloud.com/vulnerabilities/49213

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11041

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19345

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6564

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

Related Vulnerabilities

CVE-2023-50730 Vulnerability in maven package edu.gemini:gsp-graphql-core_sjs1_2.13

CVE-2015-7520 Vulnerability in maven package org.apache.wicket:wicket-core

CVE-2023-29204 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2012-5887 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-45143 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

Critical

Classification

CWE-79

Tags

Vendor Advisory