CVE-2007-2450

Published: Jun 14, 2007Modified: Apr 23, 2026

3.5

Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability: 6.8 / Impact: 2.9

Source: NVD

Description

Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.

Affected (88)

Products: Apache: Tomcat

Apache

1 product

Tomcat

Configuration A

88 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 4.0.0
Apache Tomcat	Version 4.0.1
Apache Tomcat	Version 4.0.2
Apache Tomcat	Version 4.0.3
Apache Tomcat	Version 4.0.4
Apache Tomcat	Version 4.0.5
Apache Tomcat	Version 4.0.6
Apache Tomcat	Version 4.1.0
Apache Tomcat	Version 4.1.10
Apache Tomcat	Version 4.1.15
Apache Tomcat	Version 4.1.1
Apache Tomcat	Version 4.1.24
Apache Tomcat	Version 4.1.28
Apache Tomcat	Version 4.1.2
Apache Tomcat	Version 4.1.31
Apache Tomcat	Version 4.1.36
Apache Tomcat	Version 4.1.3
Apache Tomcat	Version 4.1.3 beta
Apache Tomcat	Version 4.1.9 beta
Apache Tomcat	Version 5.0.0
Apache Tomcat	Version 5.0.10
Apache Tomcat	Version 5.0.11
Apache Tomcat	Version 5.0.12
Apache Tomcat	Version 5.0.13
Apache Tomcat	Version 5.0.14
Apache Tomcat	Version 5.0.15
Apache Tomcat	Version 5.0.16
Apache Tomcat	Version 5.0.17
Apache Tomcat	Version 5.0.18
Apache Tomcat	Version 5.0.19
Apache Tomcat	Version 5.0.1
Apache Tomcat	Version 5.0.21
Apache Tomcat	Version 5.0.22
Apache Tomcat	Version 5.0.23
Apache Tomcat	Version 5.0.24
Apache Tomcat	Version 5.0.25
Apache Tomcat	Version 5.0.26
Apache Tomcat	Version 5.0.27
Apache Tomcat	Version 5.0.28
Apache Tomcat	Version 5.0.29
Apache Tomcat	Version 5.0.2
Apache Tomcat	Version 5.0.30
Apache Tomcat	Version 5.0.3
Apache Tomcat	Version 5.0.4
Apache Tomcat	Version 5.0.5
Apache Tomcat	Version 5.0.6
Apache Tomcat	Version 5.0.7
Apache Tomcat	Version 5.0.8
Apache Tomcat	Version 5.0.9
Apache Tomcat	Version 5.5.0
Apache Tomcat	Version 5.5.10
Apache Tomcat	Version 5.5.11
Apache Tomcat	Version 5.5.12
Apache Tomcat	Version 5.5.13
Apache Tomcat	Version 5.5.14
Apache Tomcat	Version 5.5.15
Apache Tomcat	Version 5.5.16
Apache Tomcat	Version 5.5.17
Apache Tomcat	Version 5.5.18
Apache Tomcat	Version 5.5.19
Apache Tomcat	Version 5.5.1
Apache Tomcat	Version 5.5.20
Apache Tomcat	Version 5.5.21
Apache Tomcat	Version 5.5.22
Apache Tomcat	Version 5.5.23
Apache Tomcat	Version 5.5.24
Apache Tomcat	Version 5.5.2
Apache Tomcat	Version 5.5.3
Apache Tomcat	Version 5.5.4
Apache Tomcat	Version 5.5.5
Apache Tomcat	Version 5.5.6
Apache Tomcat	Version 5.5.7
Apache Tomcat	Version 5.5.8
Apache Tomcat	Version 5.5.9
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0.4
Apache Tomcat	Version 6.0.5
Apache Tomcat	Version 6.0.6
Apache Tomcat	Version 6.0.7
Apache Tomcat	Version 6.0.8
Apache Tomcat	Version 6.0.9

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (84)

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

Source: secalert@redhat.com

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795

Source: secalert@redhat.com

http://jvn.jp/jp/JVN%2307100457/index.html

Source: secalert@redhat.com

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

Source: secalert@redhat.com

http://secunia.com/advisories/25678

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/26076

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/27037

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/27727

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/28549

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/30802

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/30899

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/30908

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/33668

Source: secalert@redhat.com

Vendor Advisory

http://securityreason.com/securityalert/2813

Source: secalert@redhat.com

http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1

Source: secalert@redhat.com

http://support.apple.com/kb/HT2163

Source: secalert@redhat.com

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

Source: secalert@redhat.com

http://tomcat.apache.org/security-4.html

Source: secalert@redhat.com

PatchVendor Advisory

http://tomcat.apache.org/security-5.html

Source: secalert@redhat.com

PatchVendor Advisory

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

PatchVendor Advisory

http://www.debian.org/security/2008/dsa-1468

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDKSA-2007:241

Source: secalert@redhat.com

http://www.osvdb.org/36079

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2007-0569.html

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2008-0261.html

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/471357/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/500396/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/500412/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/bid/24475

Source: secalert@redhat.com

http://www.securitytracker.com/id?1018245

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2007/2213

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2007/3386

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2008/1979/references

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2008/1981/references

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2009/0233

Source: secalert@redhat.com

https://exchange.xforce.ibmcloud.com/vulnerabilities/34868

Source: secalert@redhat.com

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11287

Source: secalert@redhat.com

https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html

Source: secalert@redhat.com

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx