CVE - CVE-2005-4838

CVE-ID
CVE-2005-4838	Learn more at National Vulnerability Database (NVD) • Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
FULLDISC:20070906 Apache Tomcat remote xss URL:http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065598.html MISC:http://www.oliverkarow.de/research/jakarta556_xss.txt MLIST:[tomcat-dev] 20050103 Re: Fwd: XSS in Jakarta Tomcat 5.5.6 URL:http://marc.info/?l=tomcat-dev&m=110476790331536&w=2 MLIST:[tomcat-dev] 20050103 [PATCH jakarta-servletapi-5] Re: Fwd: XSS in Jakarta Tomcat 5.5.6 URL:http://marc.info/?l=tomcat-dev&m=110477195116951&w=2 CONFIRM:http://tomcat.apache.org/security-4.html CONFIRM:http://tomcat.apache.org/security-5.html REDHAT:RHSA-2008:0261 URL:http://www.redhat.com/support/errata/RHSA-2008-0261.html REDHAT:RHSA-2008:0630 URL:http://rhn.redhat.com/errata/RHSA-2008-0630.html OSVDB:12721 URL:http://www.osvdb.org/12721 OSVDB:34878 URL:http://www.osvdb.org/34878 OSVDB:34879 URL:http://www.osvdb.org/34879 SECTRACK:1012793 URL:http://securitytracker.com/id?1012793 SECUNIA:13737 URL:http://secunia.com/advisories/13737 SECUNIA:31493 URL:http://secunia.com/advisories/31493 XF:tomcat-functions-xss(36467) URL:http://xforce.iss.net/xforce/xfdb/36467
Date Entry Created
20070425	Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20070425)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE list, which standardizes names for security problems.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org

Common Vulnerabilities and Exposures

CVE-2005-4838