CVE-2007-1358
published 2007-05-10CVE-2007-1358: Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to…
PriorityP419low2.6CVSS 2.0
AVNACHAuNCNIPAN
EPSS
19.89%
97.1th percentile
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | <= 4.1.31 | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vendor_redhat2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
tomcat accept-language xss flaw
vendor_redhat·2007-06-06·CVSS 2.6
CVE-2007-1358 [LOW] CWE-79 tomcat accept-language xss flaw
tomcat accept-language xss flaw
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
GHSA
Apache Tomcat XSS In Accept-Language Headers
ghsa·2022-05-01
CVE-2007-1358 [LOW] CWE-79 Apache Tomcat XSS In Accept-Language Headers
Apache Tomcat XSS In Accept-Language Headers
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
OSV
Apache Tomcat XSS In Accept-Language Headers
osv·2022-05-01
CVE-2007-1358 [LOW] Apache Tomcat XSS In Accept-Language Headers
Apache Tomcat XSS In Accept-Language Headers
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
bugzilla·2008-01-10·CVSS 4.3
CVE-2007-5333 [MEDIUM] CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
CVE-2007-5333 Improve cookie parsing for tomcat5 [rhn_satellite_5.0]
rhn_satellite_5.0 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
For the security issues handling process overview see: http://intranet.corp.redhat.com/ic/intranet/SecurityZStreamFAQ
[bug automatically created by: add-tracking-bugs]
Discussion:
[root@rlx-3-18 RPMS]# ls tomcat5-5.0.30-0jpp_9rh.noarch.rpm
tomcat5-5.0.30-0jpp_9rh.noarch.rpm
[root@rlx-3-18 RPMS]# pwd
/tmp/mnt/RPMS
[root@rlx-3-18 RPMS]#
verified
---
This is not a bug. The real issue that was talked about is actually:
private bug Bugzilla Bug 430731: CVE-2007-5461 CVE-2007-3385 CVE-2007-3382
CVE-2007-1358 CVE-2007-1355 CVE-2007
Bugzilla
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [F8]
bugzilla·2007-11-02·CVSS 2.6
CVE-2007-1358 [LOW] CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [F8]
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [F8]
F8 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-1358 tomcat accept-language xss flaw
bugzilla·2007-06-19·CVSS 2.6
CVE-2007-1358 [LOW] CVE-2007-1358 tomcat accept-language xss flaw
CVE-2007-1358 tomcat accept-language xss flaw
"Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted
malicious Flash files to make requests with such custom headers.
Tomcat now ignores invalid values for Accept-Language headers that do
not conform to RFC 2616."
Therefore impact=low
"This flaw is actually an issue in the container getLocale() method and not
in Struts itself. Tomcat has already been patched to ignore invalid
values in the header, which blocks this flaw. The fix is included in
version 6.0.6 and
Bugzilla
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [F7]
bugzilla·2007-06-19·CVSS 2.6
CVE-2007-1358 [LOW] CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [F7]
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This is well over 4 months old. Please do an update as soon as possible.
---
tomcat5-5.5.25-1jpp.1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [Fdevel]
bugzilla·2007-06-19·CVSS 2.6
CVE-2007-1358 [LOW] CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [Fdevel]
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [Fdevel]
Fdevel tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This is well over 4 months old. Please do an update as soon as possible.
---
This is already fixed in 5.5.25. Closing bug.
Bugzilla
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [FC6]
bugzilla·2007-06-19·CVSS 2.6
CVE-2007-1358 [LOW] CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [FC6]
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This is well over 4 months old. Please do an update as soon as possible.
---
This is already fixed in 5.5.25. Closing bug.
Bugzilla
A number of tomcat issues
bugzilla·2007-05-09·CVSS 5.0
CVE-2005-3164 [MEDIUM] A number of tomcat issues
A number of tomcat issues
A number of issues affected tomcat 4.0.6 as distributed with Stronghold. Most
of these are minor severity, all need triaging:
http://tomcat.apache.org/security-4.html
Information disclosure CVE-2005-3164
Information disclosure CVE-2005-2090
Directory traversal CVE-2007-0450
Cross-site scripting CVE-2007-1358
Cross-site scripting CVE-2006-7196
Directory listing CVE-2006-3835
Cross-site scripting CVE-2005-4838
Denial of service CVE-2005-3510
Denial of service CVE-2003-0866
Information disclosure CVE-2002-2006
Discussion:
closing; Stronghold has reached end of life.
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxhttp://docs.info.apple.com/article.html?artnum=306172http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795http://jvn.jp/jp/JVN%2316535199/index.htmlhttp://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://osvdb.org/34881http://rhn.redhat.com/errata/RHSA-2008-0630.htmlhttp://secunia.com/advisories/25721http://secunia.com/advisories/26235http://secunia.com/advisories/26660http://secunia.com/advisories/27037http://secunia.com/advisories/27727http://secunia.com/advisories/30899http://secunia.com/advisories/30908http://secunia.com/advisories/31493http://secunia.com/advisories/33668http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540http://tomcat.apache.org/security-4.htmlhttp://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.securityfocus.com/archive/1/471719/100/0/threadedhttp://www.securityfocus.com/archive/1/500396/100/0/threadedhttp://www.securityfocus.com/archive/1/500412/100/0/threadedhttp://www.securityfocus.com/bid/24524http://www.securityfocus.com/bid/25159http://www.securitytracker.com/id?1018269http://www.vupen.com/english/advisories/2007/1729http://www.vupen.com/english/advisories/2007/2732http://www.vupen.com/english/advisories/2007/3087http://www.vupen.com/english/advisories/2007/3386http://www.vupen.com/english/advisories/2008/1979/referenceshttp://www.vupen.com/english/advisories/2009/0233https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10679https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.htmlhttp://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspxhttp://docs.info.apple.com/article.html?artnum=306172http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795http://jvn.jp/jp/JVN%2316535199/index.htmlhttp://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://osvdb.org/34881http://rhn.redhat.com/errata/RHSA-2008-0630.htmlhttp://secunia.com/advisories/25721http://secunia.com/advisories/26235http://secunia.com/advisories/26660http://secunia.com/advisories/27037http://secunia.com/advisories/27727http://secunia.com/advisories/30899http://secunia.com/advisories/30908http://secunia.com/advisories/31493http://secunia.com/advisories/33668http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540http://tomcat.apache.org/security-4.htmlhttp://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.securityfocus.com/archive/1/471719/100/0/threadedhttp://www.securityfocus.com/archive/1/500396/100/0/threadedhttp://www.securityfocus.com/archive/1/500412/100/0/threadedhttp://www.securityfocus.com/bid/24524http://www.securityfocus.com/bid/25159http://www.securitytracker.com/id?1018269http://www.vupen.com/english/advisories/2007/1729http://www.vupen.com/english/advisories/2007/2732http://www.vupen.com/english/advisories/2007/3087http://www.vupen.com/english/advisories/2007/3386http://www.vupen.com/english/advisories/2008/1979/referenceshttp://www.vupen.com/english/advisories/2009/0233https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10679https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
2007-05-10
Published