CVE-2007-3386 Information

Description

Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests as demonstrated using the aliases parameter to an html/add action.

Reference

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554 http://jvn.jp/jp/JVN2359851336/index.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://osvdb.org/36417 http://secunia.com/advisories/26465 http://secunia.com/advisories/26898 http://secunia.com/advisories/27037 http://secunia.com/advisories/27267 http://secunia.com/advisories/27727 http://secunia.com/advisories/28317 http://secunia.com/advisories/33668 http://securityreason.com/securityalert/3010 http://securitytracker.com/id?1018558 http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 http://tomcat.apache.org/security-6.html http://www.debian.org/security/2008/dsa-1447 http://www.mandriva.com/security/advisories?name=MDKSA-2007:241 http://www.redhat.com/support/errata/RHSA-2007-0871.html http://www.securityfocus.com/archive/1/476448/100/0/threaded http://www.securityfocus.com/archive/1/500396/100/0/threaded http://www.securityfocus.com/archive/1/500412/100/0/threaded http://www.securityfocus.com/bid/25314 http://www.vupen.com/english/advisories/2007/2880 http://www.vupen.com/english/advisories/2007/3386 http://www.vupen.com/english/advisories/2007/3527 http://www.vupen.com/english/advisories/2009/0233 https://exchange.xforce.ibmcloud.com/vulnerabilities/36001 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A10077 https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html