CVE - CVE-2005-4838

CVE-ID
CVE-2005-4838	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:1012793 URL:http://securitytracker.com/id?1012793 MISC:12721 URL:~~http://www.osvdb.org/12721~~ (Obsolete source) MISC:13737 URL:http://secunia.com/advisories/13737 MISC:20070906 Apache Tomcat remote xss URL:http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065598.html MISC:31493 URL:http://secunia.com/advisories/31493 MISC:34878 URL:~~http://www.osvdb.org/34878~~ (Obsolete source) MISC:34879 URL:~~http://www.osvdb.org/34879~~ (Obsolete source) MISC:RHSA-2008:0261 URL:http://www.redhat.com/support/errata/RHSA-2008-0261.html MISC:RHSA-2008:0630 URL:http://rhn.redhat.com/errata/RHSA-2008-0630.html MISC:[tomcat-dev] 20050103 Re: Fwd: XSS in Jakarta Tomcat 5.5.6 URL:http://marc.info/?l=tomcat-dev&m=110476790331536&w=2 MISC:[tomcat-dev] 20050103 [PATCH jakarta-servletapi-5] Re: Fwd: XSS in Jakarta Tomcat 5.5.6 URL:http://marc.info/?l=tomcat-dev&m=110477195116951&w=2 MISC:[tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ URL:https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E MISC:[tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ URL:https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E MISC:[tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/ URL:https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E MISC:http://tomcat.apache.org/security-4.html URL:http://tomcat.apache.org/security-4.html MISC:http://tomcat.apache.org/security-5.html URL:http://tomcat.apache.org/security-5.html MISC:http://www.oliverkarow.de/research/jakarta556_xss.txt URL:http://www.oliverkarow.de/research/jakarta556_xss.txt MISC:tomcat-functions-xss(36467) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/36467
Assigning CNA
Red Hat, Inc.
Date Record Created
20070425	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20070425)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)

Use of the CVE™ List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2025, The MITRE Corporation. CVE is a trademark and the CVE logo is a registered trademark of The MITRE Corporation.