low: Cross-site scripting
CVE-2007-2449
JSPs within the examples web application did not escape user provided
data before including it in the output. This enabled a XSS attack. These
JSPs now filter the data before use. This issue may be mitigated by
undeploying the examples web application. Note that it is recommended
that the examples web application is not installed on a production
system.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
low: Cross-site scripting
CVE-2007-2450
The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
attack. These applciations now filter the data before use. This issue may
be mitigated by logging out (closing the browser) of the application once
the management tasks have been completed.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
low: Session hi-jacking
CVE-2007-3382
Tomcat incorrectly treated a single quote character (') in a cookie
value as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
low: Session hi-jacking
CVE-2007-3385
Tomcat incorrectly handled the character sequence \" in a cookie value.
In some circumstances this lead to the leaking of information such as
session ID to an attacker.
Affects: 5.0.0-5.0.30, 5.5.0-5.5.24
low: Cross-site scripting
CVE-2007-3386
The Host Manager Servlet did not filter user supplied data before
display. This enabled an XSS attack.
Affects: 5.5.0-5.5.24