header-logo
Suggest Exploit
vendor:
Apache Tomcat
by:
Unknown
5.5
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: Apache Tomcat
Affected Version From: 5.5.2000
Affected Version To: 5.5.24 and 6.0.0 through 6.0.13
Patch Exists: YES
Related CWE:
CPE: apache:tomcat
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Apache Tomcat Host Manager Servlet Cross-Site Scripting Vulnerability

The Apache Tomcat Host Manager Servlet is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to inject HTML and script code into the browser of an unsuspecting victim. The attacker may then steal cookie-based authentication credentials and launch other attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user-supplied input to prevent the injection of malicious code. Additionally, keeping the Apache Tomcat software up-to-date with the latest patches and versions can help protect against known vulnerabilities.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/25314/info

Apache Tomcat Host Manager Servlet is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to inject HTML and script code into the browser of an unsuspecting victim. The attacker may then steal cookie-based authentication credentials and launch other attacks.

Apache Tomcat 5.5.0 through 5.5.24 and 6.0.0 through 6.0.13 are affected. 

<form action="http://localhost:8080/host-manager/html/add" method="get"> <input type="hidden" NAME='name' VALUE="aaa"> <input type="hidden" NAME='aliases' VALUE="<script>alert()</script>"> <input type="submit"> </form>