Description
Fixed in Apache Tomcat 6.0.6:
-
low: Cross-site scripting CVE-2007-1358
Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom headers. Tomcat now ignores invalid values for Accept-Language headers that do not conform to RFC 2616.
Affected Apache Tomcat version (6.0.0 - 6.0.5).
Remediation
Upgrade Apache Tomcat to the latest version.
References
Related Vulnerabilities
WordPress Plugin Add Any Extension to Pages Cross-Site Scripting (1.3)
WordPress Plugin Contact Form by BestWebSoft Cross-Site Scripting (4.0.1)
WordPress Plugin Product Size charts for Woocommerce Unspecified Vulnerability (1.0)
WordPress Plugin Click to Chat Cross-Site Scripting (1.6)
WordPress Plugin WP Security Safe Cross-Site Request Forgery (2.2.2)