CVE-2009-2696 — Cross-site Scripting in Apache Tomcat

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.9%

top 24.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedAug 5

Latest updateMay 2

Description

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/tomcat4.1.39

🔴Vulnerability Details

GHSA

GHSA-x75h-2jg7-ffxw: Cross-site scripting (XSS) vulnerability in jsp/cal/cal2↗2022-05-02

▶

CVEList

CVE-2009-2696: Cross-site scripting (XSS) vulnerability in jsp/cal/cal2↗2010-08-05

▶

📋Vendor Advisories

Red Hat

tomcat: missing fix for CVE-2009-0781↗2010-08-02

▶

💬Community

Bugzilla

CVE-2009-2696 tomcat: missing fix for CVE-2009-0781↗2010-07-21

▶