Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-2449Cross-site Scripting in Apache Tomcat

CWE-79Cross-site Scripting12 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
49.1%
top 2.22%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Tomcat
Timeline
PublishedJun 14
Latest updateMay 1

Description

Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat4.1.36+72

Patches

Patch: tomcat.apache.orgPatch: tomcat.apache.org

🔴Vulnerability Details

3
GHSA
Apache Tomcat XSS Vulnerabilities in Examples Web Application2022-05-01
OSV
Apache Tomcat XSS Vulnerabilities in Examples Web Application2022-05-01
CVEList
CVE-2007-2449: Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 42007-06-14

💥Exploits & PoCs

2
Exploit-DB
Apache Tomcat 6.0.13 - JSP Example Web Applications Cross-Site Scripting2007-06-14
Nuclei
Apache Tomcat 4.x-7.x - Cross-Site Scripting

📋Vendor Advisories

1
Red Hat
tomcat examples jsp XSS2007-06-13

💬Community

5
Bugzilla
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [F8]2007-11-02
Bugzilla
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [F7]2007-06-19
Bugzilla
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [Fdevel]2007-06-19
Bugzilla
CVE-2007-2449 tomcat examples jsp XSS2007-06-19
Bugzilla
CVE-2007-1358 CVE-2007-2449 CVE-2007-2450 tomcat5 various flaws [FC6]2007-06-19
CVE-2007-2449 — Cross-site Scripting in Apache Tomcat | cvebase