Description

Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.

Remediation

References

CVE-2005-4838

Related Vulnerabilities

WordPress 'wp-admin/admin.php' Module Configuration Security Bypass Vulnerability (0.6.2 - 2.8)

phpMyAdmin Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-3902)

WordPress 4.3.x Possible SQL Injection Vulnerability (4.3 - 4.3.12)

WordPress Plugin Booking Calendar Directory Traversal (7.0)

WordPress Plugin Post Pay Counter PHP Object Injection (2.730)

Severity

Medium

Classification

CVE-2005-4838 CWE-707

Tags

Missing Update Known Vulnerabilities