Vulnerability CVE-2007-3386

Vulnerability CVE-2007-3386

Published: 2007-08-14 Modified: 2012-02-12

Description:

Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.

See advisories in our WLB2 database:

	Topic	Author	Date
Low	XSS in Host Manager	Mark Thomas	15.08.2007

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
4.3/10	2.9/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
None	Partial	None

Affected software
Apache -> Tomcat

References:

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554

http://jvn.jp/jp/JVN%2359851336/index.html

http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

http://securityreason.com/securityalert/3010

http://securitytracker.com/id?1018558

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

http://tomcat.apache.org/security-6.html

http://www.debian.org/security/2008/dsa-1447

http://www.mandriva.com/security/advisories?name=MDKSA-2007:241

http://www.redhat.com/support/errata/RHSA-2007-0871.html

http://www.securityfocus.com/archive/1/476448/100/0/threaded

http://www.securityfocus.com/archive/1/500396/100/0/threaded

http://www.securityfocus.com/archive/1/500412/100/0/threaded

http://www.securityfocus.com/bid/25314

http://www.vupen.com/english/advisories/2007/2880

http://www.vupen.com/english/advisories/2007/3386

http://www.vupen.com/english/advisories/2007/3527

http://www.vupen.com/english/advisories/2009/0233

https://exchange.xforce.ibmcloud.com/vulnerabilities/36001

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10077

https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html

Vulnerability CVE-2007-3386

Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.

See advisories in our WLB2 database:

Low

XSS in Host Manager

CWE-79

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

4.3/10

2.9/10

8.6/10

Remote

Medium

No required

None

Partial

None

Affected software

References: