4.3
CVSSv2

CVE-2008-1947

CVSSv4: NA | CVSSv3: NA | CVSSv2: 4.3 | VMScore: 530 | EPSS: 0.49114 | KEV: Not Included
Published: 04/06/2008 Updated: 09/04/2025

Vulnerability Summary

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 up to and including 5.5.26 and 6.0.0 up to and including 6.0.16 allows remote malicious users to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 5.5.9

apache tomcat 5.5.10

apache tomcat 5.5.11

apache tomcat 5.5.12

apache tomcat 5.5.13

apache tomcat 5.5.14

apache tomcat 5.5.15

apache tomcat 5.5.16

apache tomcat 5.5.17

apache tomcat 5.5.18

apache tomcat 5.5.19

apache tomcat 5.5.20

apache tomcat 5.5.21

apache tomcat 5.5.22

apache tomcat 5.5.23

apache tomcat 5.5.24

apache tomcat 5.5.25

apache tomcat 5.5.26

apache tomcat 6.0.0

apache tomcat 6.0.1

apache tomcat 6.0.2

apache tomcat 6.0.3

apache tomcat 6.0.4

apache tomcat 6.0.5

apache tomcat 6.0.6

apache tomcat 6.0.7

apache tomcat 6.0.8

apache tomcat 6.0.9

apache tomcat 6.0.10

apache tomcat 6.0.11

apache tomcat 6.0.12

apache tomcat 6.0.13

apache tomcat 6.0.14

apache tomcat 6.0.15

apache tomcat 6.0.16

Vendor Advisories

Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix multiple security issues are now availablefor Red Hat Developer Suite 3This update has been rated as having important security impact by the RedHat Security Response Team D ...
Synopsis Low: tomcat security update for Red Hat Network Satellite Server Type/Severity Security Advisory: Low Topic Updated tomcat packages that fix multiple security issues are now availablefor Red Hat Network Satellite ServerThis update has been rated as having low security impact by the RedHat Security ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix several security issues are now availablefor Red Hat Application Server v2This update has been rated as having important security impact by the RedHat Security Response Team ...
It was discovered that the Host Manager web application performed insufficient input sanitising, which could lead to cross-site scripting For the stable distribution (etch), this problem has been fixed in version 5520-2etch3 For the unstable distribution (sid), this problem has been fixed in version 5526-3 We recommend that you upgrade your ...

Exploits

Tomcat versions 559 through 5526 and versions 600 through 6016 suffer from a host-manager cross site scripting vulnerability ...

References

CWE-79https://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2008:0864https://www.first.org/epsshttps://www.debian.org/security/./dsa-1593http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://marc.info/?l=bugtraq&m=123376588623823&w=2http://marc.info/?l=bugtraq&m=123376588623823&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://marc.info/?l=tomcat-user&m=121244319501278&w=2http://secunia.com/advisories/30500http://secunia.com/advisories/30592http://secunia.com/advisories/30967http://secunia.com/advisories/31639http://secunia.com/advisories/31865http://secunia.com/advisories/31891http://secunia.com/advisories/32120http://secunia.com/advisories/32222http://secunia.com/advisories/32266http://secunia.com/advisories/33797http://secunia.com/advisories/33999http://secunia.com/advisories/34013http://secunia.com/advisories/37460http://secunia.com/advisories/57126http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2008/dsa-1593http://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0648.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0864.htmlhttp://www.securityfocus.com/archive/1/492958/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/29502http://www.securityfocus.com/bid/31681http://www.securitytracker.com/id?1020624http://www.vmware.com/security/advisories/VMSA-2009-0002.htmlhttp://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2008/1725http://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2009/0320http://www.vupen.com/english/advisories/2009/0503http://www.vupen.com/english/advisories/2009/3316https://exchange.xforce.ibmcloud.com/vulnerabilities/42816https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.htmlhttp://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://marc.info/?l=bugtraq&m=123376588623823&w=2http://marc.info/?l=bugtraq&m=123376588623823&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://marc.info/?l=tomcat-user&m=121244319501278&w=2http://secunia.com/advisories/30500http://secunia.com/advisories/30592http://secunia.com/advisories/30967http://secunia.com/advisories/31639http://secunia.com/advisories/31865http://secunia.com/advisories/31891http://secunia.com/advisories/32120http://secunia.com/advisories/32222http://secunia.com/advisories/32266http://secunia.com/advisories/33797http://secunia.com/advisories/33999http://secunia.com/advisories/34013http://secunia.com/advisories/37460http://secunia.com/advisories/57126http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2008/dsa-1593http://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0648.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0864.htmlhttp://www.securityfocus.com/archive/1/492958/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/29502http://www.securityfocus.com/bid/31681http://www.securitytracker.com/id?1020624http://www.vmware.com/security/advisories/VMSA-2009-0002.htmlhttp://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2008/1725http://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2009/0320http://www.vupen.com/english/advisories/2009/0503http://www.vupen.com/english/advisories/2009/3316https://exchange.xforce.ibmcloud.com/vulnerabilities/42816https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html