Apache Tomcat Host Manager XSS Vulnerability (CVE-2007-3386) Analysis

Critical Vulnerability Information Vulnerability Type: XSS in Host Manager CVE ID: CVE-2007-3386 CWE ID: CWE-79 CVSS Score: 4.3/10 Risk Level: Low Impact Score: 2.9/10 - Integrity Impact: Partial - Confidentiality Impact: None - Availability Impact: None Exploitability Score: 8.6/10 - Attack Complexity: Medium - Authentication Required: None Discovery Date: 2007-08-15 Contributor: Mark Thomas Vulnerability Description Vendor: Apache Software Foundation Affected Versions: - 6.0.0 to 6.0.13 - 5.5.0 to 5.5.24 Description: The Host Manager Servlet does not filter user-submitted data before displaying it, enabling XSS attacks. Mitigation: - Log out (close the browser) from the Host Manager application after completing administrative tasks. - Upgrade to version 6.0.14. Discoverer: Discovered and reported collaboratively by NTT OSS CENTER and JPCERT/CC. Example: Reference Links: - http://tomcat.apache.org/security.html

Goal Reached Thanks to every supporter — we hit 100%!

Apache Tomcat Host Manager XSS Vulnerability (CVE-2007-3386) Analysis