cbcvebase.
CVE-2007-2449
published 2007-06-14

CVE-2007-2449: Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through…

PriorityP434medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
77.38%
99.5th percentile
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.

Affected

73 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat<= 4.1.36
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/examples/jsp/snp/snoop.jsp;alert(document.domain)test.jsp
path/examples/jsp/snp/snoop.jsp;
path/jsp-examples/snp/snoop.jsp;[xss]
  • Look for HTTP GET requests targeting JSP example application paths containing a semicolon (';') followed by arbitrary content after snoop.jsp — the XSS payload is injected in the URI segment after the ';' character.
  • Match HTTP 200 responses whose body contains both 'Request URI: /examples/jsp/snp/snoop.jsp;alert(document.domain)test.jsp' and 'JSP Request Method' with Content-Type text/html — this confirms the XSS payload is reflected unencoded.
  • Shodan query 'title:"Apache Tomcat"' can be used to identify potentially exposed Tomcat instances for targeted scanning.
  • ·The vulnerability is specific to the 'examples' web application bundled with Apache Tomcat. The attack surface only exists if this optional examples webapp is deployed (it is not required for production use). Affected versions span Tomcat 4.0.0–4.0.6, 4.1.0–4.1.36, 5.0.0–5.0.30, 5.5.0–5.5.24, and 6.0.0–6.0.13.
  • ·Exploitation can lead to theft of cookie-based authentication credentials, making session hijacking a primary risk beyond simple script injection.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.