Description
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Remediation
References
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
http://marc.info/?l=bugtraq&m=130168502603566&w=2
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/43192
http://secunia.com/advisories/45022
http://secunia.com/advisories/57126
http://securityreason.com/securityalert/8093
http://support.apple.com/kb/HT5002
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_%28released_14_Jan_2011%29
http://www.debian.org/security/2011/dsa-2160
http://www.mandriva.com/security/advisories?name=MDVSA-2011:030
http://www.redhat.com/support/errata/RHSA-2011-0791.html
http://www.redhat.com/support/errata/RHSA-2011-0896.html
http://www.redhat.com/support/errata/RHSA-2011-0897.html
http://www.redhat.com/support/errata/RHSA-2011-1845.html
http://www.securityfocus.com/archive/1/516209/30/90/threaded
http://www.securityfocus.com/bid/46174
http://www.securitytracker.com/id?1025026
http://www.vupen.com/english/advisories/2011/0376
https://bugzilla.redhat.com/show_bug.cgi?id=675786
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269
Related Vulnerabilities
CVE-2015-8031 Vulnerability in maven package org.jvnet.hudson.main:hudson-core
CVE-2017-15691 Vulnerability in maven package org.apache.uima:uimaj-adapter-vinci
CVE-2023-49397 Vulnerability in maven package com.jfinal:jfinal
CVE-2023-30529 Vulnerability in maven package org.jenkins-ci.plugins:lucene-search
CVE-2022-34158 Vulnerability in maven package org.apache.jspwiki:jspwiki-war