CVE-2011-0013

Published: Feb 19, 2011Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.

Affected (65)

Products: Apache: Tomcat

Apache

1 product

Tomcat

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 7.0.0
Apache Tomcat	Version 7.0.1
Apache Tomcat	Version 7.0.2
Apache Tomcat	Version 7.0.3
Apache Tomcat	Version 7.0.4
Apache Tomcat	Version 7.0.5

Configuration B

27 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.14
Apache Tomcat	Version 6.0.15
Apache Tomcat	Version 6.0.16
Apache Tomcat	Version 6.0.17
Apache Tomcat	Version 6.0.18
Apache Tomcat	Version 6.0.19
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.20
Apache Tomcat	Version 6.0.24
Apache Tomcat	Version 6.0.26
Apache Tomcat	Version 6.0.27
Apache Tomcat	Version 6.0.28
Apache Tomcat	Version 6.0.29
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0.4
Apache Tomcat	Version 6.0.5
Apache Tomcat	Version 6.0.6
Apache Tomcat	Version 6.0.7
Apache Tomcat	Version 6.0.8
Apache Tomcat	Version 6.0.9
Apache Tomcat	Version 6.0

Configuration C

32 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 5.5.0
Apache Tomcat	Version 5.5.10
Apache Tomcat	Version 5.5.11
Apache Tomcat	Version 5.5.12
Apache Tomcat	Version 5.5.13
Apache Tomcat	Version 5.5.14
Apache Tomcat	Version 5.5.15
Apache Tomcat	Version 5.5.16
Apache Tomcat	Version 5.5.17
Apache Tomcat	Version 5.5.18
Apache Tomcat	Version 5.5.19
Apache Tomcat	Version 5.5.1
Apache Tomcat	Version 5.5.20
Apache Tomcat	Version 5.5.21
Apache Tomcat	Version 5.5.22
Apache Tomcat	Version 5.5.23
Apache Tomcat	Version 5.5.24
Apache Tomcat	Version 5.5.25
Apache Tomcat	Version 5.5.26
Apache Tomcat	Version 5.5.27
Apache Tomcat	Version 5.5.28
Apache Tomcat	Version 5.5.29
Apache Tomcat	Version 5.5.2
Apache Tomcat	Version 5.5.30
Apache Tomcat	Version 5.5.31
Apache Tomcat	Version 5.5.3
Apache Tomcat	Version 5.5.4
Apache Tomcat	Version 5.5.5
Apache Tomcat	Version 5.5.6
Apache Tomcat	Version 5.5.7
Apache Tomcat	Version 5.5.8
Apache Tomcat	Version 5.5.9

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (66)

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=130168502603566&w=2

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=132215163318824&w=2

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=136485229118404&w=2

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=139344343412337&w=2

Source: secalert@redhat.com

http://secunia.com/advisories/43192

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/45022

Source: secalert@redhat.com

http://secunia.com/advisories/57126

Source: secalert@redhat.com

http://securityreason.com/securityalert/8093

Source: secalert@redhat.com

http://support.apple.com/kb/HT5002

Source: secalert@redhat.com

http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html

Source: secalert@redhat.com

http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32

Source: secalert@redhat.com

PatchVendor Advisory

http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30

Source: secalert@redhat.com

PatchVendor Advisory

http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_%28released_14_Jan_2011%29

Source: secalert@redhat.com

http://www.debian.org/security/2011/dsa-2160

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2011:030

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2011-0791.html

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2011-0896.html

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2011-0897.html

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2011-1845.html

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/516209/30/90/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/bid/46174

Source: secalert@redhat.com

http://www.securitytracker.com/id?1025026

Source: secalert@redhat.com

Exploit

http://www.vupen.com/english/advisories/2011/0376

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=675786

Source: secalert@redhat.com

Patch

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269

Source: secalert@redhat.com

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html