This alert was generated using only banner information. It may be a false positive.
Fixed in Apache Tomcat 5.5.27:
low: Cross-site scripting CVE-2008-1232
The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.
low: Cross-site scripting CVE-2008-1947
The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.
important: Information disclosure CVE-2008-2370
When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.
Affected Apache Tomcat version (5.5.0 - 5.5.26).
- low: Cross-site scripting CVE-2008-1232
- Upgrade Apache Tomcat to the latest version.
- WordPress Plugin Wordfence Security-Firewall & Malware Scan Cross-Site Scripting (6.0.21)
- WordPress Plugin MailPoet 2 Cross-Site Scripting (2.6.19)
- WordPress Plugin Banner Garden Multiple Cross-Site Scripting Vulnerabilities (0.1.3)
- WordPress Plugin WP Photo Album Plus Cross-Site Scripting (4.9.2)
- WordPress Plugin WP Bannerize 'ajax_sorter.php' SQL Injection (2.8.7)