- <div class="bb-coolbox"><span class="bb-dark">This alert was generated using only banner information. It may be a false positive. </span></div><br/><strong>Fixed in Apache Tomcat 5.5.27:</strong><br/><ul> <li> <strong>low</strong>: Cross-site scripting CVE-2008-1232<br/> The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument. </li> <li> <strong>low</strong>: Cross-site scripting CVE-2008-1947<br/> The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed. </li> <li> <strong>important</strong>: Information disclosure CVE-2008-2370<br/> When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. </li> </ul><br/> <span class="bb-navy">Affected Apache Tomcat version (5.5.0 - 5.5.26).</span><br/>
- Upgrade Apache Tomcat to the latest version.
- WordPress Plugin Gallery Categories by BestWebSoft Cross-Site Scripting (1.0.8)
- WordPress Plugin Bookshelf Cross-Site Scripting (2.0.4)
- WordPress Plugin Easy WP SMTP Cross-Site Scripting (1.2.4)
- WordPress 3.8.x Same Origin Method Execution (SOME) Vulnerability (3.8 - 3.8.13)
- WordPress Plugin Custom Website Data Cross-Site Scripting (1.0)