Description
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
Remediation
References
Related Vulnerabilities
WordPress Plugin Photo Gallery by 10Web-Mobile-Friendly Image Gallery Cross-Site Scripting (1.5.68)
WordPress Plugin All in One Webmaster Unspecified Vulnerability (11.0)
Moodle Improper Input Validation Vulnerability (CVE-2006-4936)
WordPress 3.9.x Same Origin Method Execution (SOME) Vulnerability (3.9 - 3.9.11)