CVE-2010-4172 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java related to use of untrusted web applications.

Reference

http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0285.html http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/42337 http://secunia.com/advisories/43019 http://secunia.com/advisories/45022 http://secunia.com/advisories/57126 http://securitytracker.com/id?1024764 http://support.apple.com/kb/HT5002 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html http://svn.apache.org/viewvc?view=revision&revision=1037778 http://svn.apache.org/viewvc?view=revision&revision=1037779 http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-7.html http://www.redhat.com/support/errata/RHSA-2011-0791.html http://www.redhat.com/support/errata/RHSA-2011-0896.html http://www.redhat.com/support/errata/RHSA-2011-0897.html http://www.securityfocus.com/archive/1/514866/100/0/threaded http://www.securityfocus.com/bid/45015 http://www.ubuntu.com/usn/USN-1048-1 http://www.vupen.com/english/advisories/2010/3047 http://www.vupen.com/english/advisories/2011/0203 https://bugzilla.redhat.com/show_bug.cgi?id=656246 https://exchange.xforce.ibmcloud.com/vulnerabilities/63422