Vulnerability CVE-2007-2450: Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.

Severity: LOW (3.5)

References to Advisories, Solutions, and Tools

1. Affected configurations:

   1. Configuration 1

      cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*

      ---