Apache Tomcat Host Manager Application Cross-Site Scripting Vulnerability
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.
Apache Tomcat and HP HP-UX Tomcat-based Servlet Engine contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script code in the user's browser session. The vulnerability is due to an input sanitization error by the Host Manager application. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user who is logged in to Host Manager to follow a crafted link that is designed to pass malicious HTML and script code to the targeted server. The crafted link could allow the attacker to execute malicious HTML or script code in the user's browser session in the security context of the site. Sufficient information to reliably exploit the vulnerability is publicly available. Apache and HP confirmed the vulnerability in security announcement and released updated software.
|Apache||Tomcat||5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.5.14, 5.5.15, 5.5.16, 5.5.17, 5.5.18, 5.5.19, 5.5.20, 5.5.21, 5.5.22, 5.5.23, 5.5.24, 5.5.25, 5.5.26, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16|