cbcvebase.
CVE-2007-3386
published 2007-08-14

CVE-2007-3386: Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject…

PriorityP431medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
58.96%
99.0th percentile
Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.

Affected

39 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

urlhtml/add?aliases=<payload>
  • Monitor HTTP requests to the Tomcat Host Manager Servlet endpoint '/html/add' for unsanitized or script-bearing input in the 'aliases' parameter, which is the demonstrated attack vector for this XSS vulnerability.
  • Look for XSS payloads (e.g., script tags or event handlers) injected into the 'aliases' parameter of requests targeting the Host Manager Servlet on Apache Tomcat 5.5.0–5.5.24 and 6.0.0–6.0.13.
  • The exploit proof-of-concept uses an alert() XSS payload embedded in a crafted request; detect anomalous script injection strings (e.g., 'alert()">' patterns) in Host Manager Servlet request parameters.
  • ·The vulnerability exists only in Apache Tomcat versions 5.5.0 through 5.5.24 and 6.0.0 through 6.0.13; versions 5.5.25+ and 6.0.14+ are patched. Ensure Host Manager Servlet is not exposed to untrusted users on unpatched versions.
  • ·Exploitation requires the victim to be authenticated (logged in) to the Host Manager Servlet before being lured to the attacker-controlled page, limiting the attack surface to authenticated sessions.
  • ·Successful exploitation can lead to theft of cookie-based authentication credentials; ensure session cookies are flagged HttpOnly to reduce impact.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.