4.3
CVSSv2

CVE-2008-1947

Published: 04/06/2008 Updated: 25/03/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 up to and including 5.5.26 and 6.0.0 up to and including 6.0.16 allows remote malicious users to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.

Affected Products

Vendor Product Versions
ApacheTomcat5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.5.14, 5.5.15, 5.5.16, 5.5.17, 5.5.18, 5.5.19, 5.5.20, 5.5.21, 5.5.22, 5.5.23, 5.5.24, 5.5.25, 5.5.26, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16

Vendor Advisories

Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix multiple security issues are now availablefor Red Hat Developer Suite 3This update has been rated as having important security impact by the RedHat Security Response Team D ...
Synopsis Low: tomcat security update for Red Hat Network Satellite Server Type/Severity Security Advisory: Low Topic Updated tomcat packages that fix multiple security issues are now availablefor Red Hat Network Satellite ServerThis update has been rated as having low security impact by the RedHat Security ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix several security issues are now availablefor Red Hat Application Server v2This update has been rated as having important security impact by the RedHat Security Response Team ...
It was discovered that the Host Manager web application performed insufficient input sanitising, which could lead to cross-site scripting For the stable distribution (etch), this problem has been fixed in version 5520-2etch3 For the unstable distribution (sid), this problem has been fixed in version 5526-3 We recommend that you upgrade your ...
VirtualCenter 25 before Update 4 ESX 35 without patch ESX350-200910403-SG ...

Mailing Lists

Tomcat versions 559 through 5526 and versions 600 through 6016 suffer from a host-manager cross site scripting vulnerability ...

References

CWE-79http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://marc.info/?l=bugtraq&m=123376588623823&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://marc.info/?l=tomcat-user&m=121244319501278&w=2http://secunia.com/advisories/30500http://secunia.com/advisories/30592http://secunia.com/advisories/30967http://secunia.com/advisories/31639http://secunia.com/advisories/31865http://secunia.com/advisories/31891http://secunia.com/advisories/32120http://secunia.com/advisories/32222http://secunia.com/advisories/32266http://secunia.com/advisories/33797http://secunia.com/advisories/33999http://secunia.com/advisories/34013http://secunia.com/advisories/37460http://secunia.com/advisories/57126http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2008/dsa-1593http://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0648.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0864.htmlhttp://www.securityfocus.com/archive/1/492958/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/29502http://www.securityfocus.com/bid/31681http://www.securitytracker.com/id?1020624http://www.vmware.com/security/advisories/VMSA-2009-0002.htmlhttp://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2008/1725http://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2009/0320http://www.vupen.com/english/advisories/2009/0503http://www.vupen.com/english/advisories/2009/3316https://exchange.xforce.ibmcloud.com/vulnerabilities/42816https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.htmlhttps://access.redhat.com/errata/RHSA-2008:0864https://www.debian.org/security/./dsa-1593https://nvd.nist.govhttps://www.rapid7.com/db/vulnerabilities/freebsd-vid-da5c4072-8082-11dd-9c8c-001c2514716chttp://tools.cisco.com/security/center/viewAlert.x?alertId=16021