CVE-2007-2449 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6 4.1.0 through 4.1.36 5.0.0 through 5.0.30 5.5.0 through 5.5.24 and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ‘;’ character as demonstrated by a URI containing a \snp/snoop.jsp;\ sequence.

Reference

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://osvdb.org/36080 http://rhn.redhat.com/errata/RHSA-2008-0630.html http://secunia.com/advisories/26076 http://secunia.com/advisories/27037 http://secunia.com/advisories/27727 http://secunia.com/advisories/29392 http://secunia.com/advisories/30802 http://secunia.com/advisories/31493 http://secunia.com/advisories/33668 http://securityreason.com/securityalert/2804 http://support.apple.com/kb/HT2163 http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://www.mandriva.com/security/advisories?name=MDKSA-2007:241 http://www.redhat.com/support/errata/RHSA-2007-0569.html http://www.redhat.com/support/errata/RHSA-2008-0261.html http://www.securityfocus.com/archive/1/471351/100/0/threaded http://www.securityfocus.com/archive/1/500396/100/0/threaded http://www.securityfocus.com/archive/1/500412/100/0/threaded http://www.securityfocus.com/bid/24476 http://www.securitytracker.com/id?1018245 http://www.vupen.com/english/advisories/2007/2213 http://www.vupen.com/english/advisories/2007/3386 http://www.vupen.com/english/advisories/2008/1981/references http://www.vupen.com/english/advisories/2009/0233 https://exchange.xforce.ibmcloud.com/vulnerabilities/34869 https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@3Cdev.tomcat.apache.org3E https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A10578 https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html