Title: Apache Tomcat Cross-Site Scripting Vulnerability
Severity: HIGH
Description:
Apache Tomcat can be used together with the Apache web server or a stand alone server for Java Servlets and Java Pages. Tomcat ships with a built in web server.
Apache Tomcat does not filter script embedding from links that are displayed on a server's website. This problem is related to an input validation error in the JavaServlet Container.
A malicious webmaster can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyper-link.
When the malicious hyper-link is clicked it will generate an error message including the specified or embedded script. The specified or embedded scripting will be executed in the client's browser and treated as content originating from the target server returning the error message. This also has the effect of obfuscating the attacker, as the script appears to be executed from the trusted host.
Successful exploitation of this vulnerability could lead to a complete compromise of the host.
Affected Products:
- Apache Software Foundation Tomcat 3.2.1
References:
- Apache Software Foundation: Tomcat Release Announcement
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
