github - ghsa-f98p-9pp6-7q6c

ghsa-f98p-9pp6-7q6c

Vulnerability from github

Published

2022-05-01 23:45

Modified

2024-03-05 18:53

Summary

Apache Tomcat Cross-site scripting (XSS) vulnerability

Details

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.26"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.5.9"
            },
            {
              "fixed": "5.5.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.16"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.26"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.5.9"
            },
            {
              "fixed": "5.5.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.16"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2008-1947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-08T22:33:18Z",
    "nvd_published_at": "2008-06-04T19:32:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to `host-manager/html/add`.",
  "id": "GHSA-f98p-9pp6-7q6c",
  "modified": "2024-03-05T18:53:37Z",
  "published": "2022-05-01T23:45:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1947"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/ab6a6c41ac972c845717c9d639f0335865afab4d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/78ad0fcbe29c824f1f2e45a4e2716247b033250a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/49c71fc59c1b8f8da77aea9eb53e61db168aebab"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/5f00d434c8dc11bd49ce0b4b56fe889839056030"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200514224656/http://www.securityfocus.com/archive/1/507985/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201208011750/http://www.securityfocus.com/archive/1/492958/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42816"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=446393"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2008-1947"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2008:1007"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2008:0864"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2008:0862"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2008:0648"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=123376588623823\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=tomcat-user\u0026m=121244319501278\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT3216"
    },
    {
      "type": "WEB",
      "url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm"
    },
    {
      "type": "WEB",
      "url": "http://tomcat.apache.org/security-5.html"
    },
    {
      "type": "WEB",
      "url": "http://tomcat.apache.org/security-6.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2008/dsa-1593"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Tomcat Cross-site scripting (XSS) vulnerability"
}

cve-2008-1947

Vulnerability from cvelistv5

Published

2008-06-04 19:17

Modified

2024-08-07 08:40

Severity

Summary

References

URL	Tags
http://www.securityfocus.com/archive/1/492958/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
http://secunia.com/advisories/30500	third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2008-0862.html	vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/34013	third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=tomcat-user&m=121244319501278&w=2	mailing-list, x_refsource_MLIST
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009	vdb-entry, signature, x_refsource_OVAL
http://www.vupen.com/english/advisories/2008/2823	vdb-entry, x_refsource_VUPEN
https://exchange.xforce.ibmcloud.com/vulnerabilities/42816	vdb-entry, x_refsource_XF
http://secunia.com/advisories/37460	third-party-advisory, x_refsource_SECUNIA
http://www.vmware.com/security/advisories/VMSA-2009-0002.html	x_refsource_CONFIRM
http://www.securityfocus.com/bid/31681	vdb-entry, x_refsource_BID
http://secunia.com/advisories/32120	third-party-advisory, x_refsource_SECUNIA
http://www.vmware.com/security/advisories/VMSA-2009-0016.html	x_refsource_CONFIRM
http://www.vupen.com/english/advisories/2008/1725	vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/30592	third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/33999	third-party-advisory, x_refsource_SECUNIA
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534	vdb-entry, signature, x_refsource_OVAL
http://www.securityfocus.com/bid/29502	vdb-entry, x_refsource_BID
http://secunia.com/advisories/31865	third-party-advisory, x_refsource_SECUNIA
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html	vendor-advisory, x_refsource_FEDORA
http://secunia.com/advisories/31639	third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/30967	third-party-advisory, x_refsource_SECUNIA
http://www.mandriva.com/security/advisories?name=MDVSA-2008:188	vendor-advisory, x_refsource_MANDRIVA
http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm	x_refsource_CONFIRM
http://www.vupen.com/english/advisories/2009/0320	vdb-entry, x_refsource_VUPEN
http://www.securityfocus.com/archive/1/507985/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
http://www.redhat.com/support/errata/RHSA-2008-0864.html	vendor-advisory, x_refsource_REDHAT
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html	vendor-advisory, x_refsource_SUSE
http://tomcat.apache.org/security-6.html	x_refsource_CONFIRM
http://secunia.com/advisories/57126	third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/32222	third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/31891	third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/33797	third-party-advisory, x_refsource_SECUNIA
http://www.securitytracker.com/id?1020624	vdb-entry, x_refsource_SECTRACK
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html	vendor-advisory, x_refsource_SUSE
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html	vendor-advisory, x_refsource_FEDORA
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html	vendor-advisory, x_refsource_FEDORA
http://tomcat.apache.org/security-5.html	x_refsource_CONFIRM
http://www.vupen.com/english/advisories/2008/2780	vdb-entry, x_refsource_VUPEN
http://marc.info/?l=bugtraq&m=123376588623823&w=2	vendor-advisory, x_refsource_HP
http://marc.info/?l=bugtraq&m=139344343412337&w=2	vendor-advisory, x_refsource_HP
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html	vendor-advisory, x_refsource_APPLE
http://support.apple.com/kb/HT3216	x_refsource_CONFIRM
http://www.vupen.com/english/advisories/2009/0503	vdb-entry, x_refsource_VUPEN
http://www.vupen.com/english/advisories/2009/3316	vdb-entry, x_refsource_VUPEN
http://marc.info/?l=bugtraq&m=123376588623823&w=2	vendor-advisory, x_refsource_HP
http://www.debian.org/security/2008/dsa-1593	vendor-advisory, x_refsource_DEBIAN
http://secunia.com/advisories/32266	third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2008-0648.html	vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website