Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-52318 PoC — Apache Tomcat: Incorrect JSP tag recycling leads to XSS

Source
https://github.com/TAM-K592/CVE-2024-52318
Associated Vulnerability
Title:Apache Tomcat: Incorrect JSP tag recycling leads to XSS (CVE-2024-52318)
Description:Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.
Description
CVE-2024-52318 - Apache Tomcat XSS Vulnerability in Generated JSPs
Readme
# CVE-2024-52318
🚨🚨CVE-2024-52318 - Apache Tomcat XSS Vulnerability in Generated JSPs🚨🚨

 Overview

CVE-2024-52318 is a crosssite scripting (XSS) vulnerability in Apache Tomcat, which arises from improperly released resources in generated JavaServer Pages (JSPs). This issue, introduced by a prior improvement (fix 69333), causes some JSP tags to fail in escaping output as expected. This can allow attackers to inject malicious scripts into web pages, potentially compromising user data or hijacking user sessions.



 Affected Versions

The following versions of Apache Tomcat are vulnerable:

Version Series	Affected Versions
Apache Tomcat 11.0	Versions prior to 11.0.1
Apache Tomcat 10.1	Versions prior to 10.1.33
Apache Tomcat 9.0	Versions prior to 9.0.97




 Exploitability

 Attack Vector

 How the Exploit Works:  
  Attackers can exploit this vulnerability by injecting malicious payloads into vulnerable JSPs. The failure to properly escape output may result in the execution of injected scripts when users access the affected pages.

 Potential Impact:
   Theft of sensitive user information, such as cookies and session tokens.
   Execution of unauthorized actions in the context of a user's session (e.g., CSRF attacks).
   Disruption of data integrity and overall system security.



 Mitigation

 Upgrade

To resolve this vulnerability, upgrade to a patched version of Apache Tomcat:

 Apache Tomcat 11.0.1 or later.
 Apache Tomcat 10.1.33 or later.
 Apache Tomcat 9.0.97 or later.

 Best Practices for JSP Development

1. Ensure all JSP outputs are explicitly escaped to prevent XSS vulnerabilities.
2. Regularly review and audit JSP configurations and tag library usage.
3. Implement a Content Security Policy (CSP) to mitigate the impact of any injected scripts.



 References

 [Apache Tomcat Security Advisory for CVE202452318](https://tomcat.apache.org/security11.html)
 
 [Apache Mailing List Discussion](https://lists.apache.org/thread/dz6nv1j2mm1m3hqfxdtt392qlo7xf6z0)
 
 [Apache Tomcat Downloads](https://tomcat.apache.org/download11.cgi)
File Snapshot

 [4.0K]  /data/pocs/49001190fafd078a0170b0d219aebec5a2e183ac
├── [3.2K]  CVE-2024-52318.py
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →