Fixed in Apache Tomcat 6.0.11:
moderate: Cross-site scripting CVE-2007-1355
The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the output.
important: Information disclosure CVE-2005-2090
Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers.
Affected Apache Tomcat version (6.0.0 - 6.0.10).
Upgrade Apache Tomcat to the latest version.
WordPress Plugin Beer Recipes Cross-Site Scripting (1.0)
WordPress Plugin Registration Forms-User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Open Redirect (220.127.116.11)
Joomla! Core 1.7.x Information Disclosure (1.7.0 - 1.7.4)
WordPress Plugin myEASYbackup 'dwn_file' Parameter Directory Traversal (18.104.22.168)
WordPress Plugin Breadcrumb NavXT Information Disclosure (6.1.0)