CVE-2010-4172
published 2010-11-26CVE-2010-4172: Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote…
PriorityP434medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
42.01%
98.5th percentile
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Tomcat vulnerability
vendor_ubuntu·2011-01-24
CVE-2010-4172 Tomcat vulnerability
Title: Tomcat vulnerability
It was discovered that Tomcat did not properly escape certain parameters in
the Manager application which could result in browsers becoming vulnerable
to cross-site scripting attacks when processing the output. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data (such as
passwords), within the same domain.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
tomcat: cross-site-scripting vulnerability in the manager application
vendor_redhat·2010-11-22·CVSS 4.3
CVE-2010-4172 [MEDIUM] CWE-79 tomcat: cross-site-scripting vulnerability in the manager application
tomcat: cross-site-scripting vulnerability in the manager application
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
Package: tomcat5 (Red Hat Enterprise Linux 5) - Not affected
OSV
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
osv·2022-05-14
CVE-2010-4172 [MEDIUM] Improper Neutralization of Input During Web Page Generation in Apache Tomcat
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
GHSA
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
ghsa·2022-05-14
CVE-2010-4172 [MEDIUM] CWE-79 Improper Neutralization of Input During Web Page Generation in Apache Tomcat
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt
suricata·2011-06-24
CVE-2010-4172 ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt
ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sessions?path="; nocase; content:"sort="; nocase; pcre:"/sort\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_24, cve CVE_2010_4172, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt
suricata·2011-06-24
CVE-2010-4172 ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt
ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sessions?path="; nocase; content:"orderby="; nocase; pcre:"/orderby\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013118; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_24, cve CVE_2010_4172, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, update
Bugzilla
CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application [fedora-all]
bugzilla·2011-01-13·CVSS 4.3
CVE-2010-4172 [MEDIUM] CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application [fedora-all]
CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=656246
Please note: this
Bugzilla
CVE-2010-4312 tomcat6: does not use HTTPOnly for session cookies by default
bugzilla·2010-11-29·CVSS 4.3
CVE-2010-4312 [MEDIUM] CVE-2010-4312 tomcat6: does not use HTTPOnly for session cookies by default
CVE-2010-4312 tomcat6: does not use HTTPOnly for session cookies by default
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4312 to
the following vulnerability:
Name: CVE-2010-4312
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
Assigned: 20101126
Reference: BUGTRAQ:20101122 [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded
The default configuration of Apache Tomcat 6.x does not include the
HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
attackers to hijack a session via script access to a cookie.
Discussion:
It does not look as though upstream is making this option the default in Tomcat6 as it did in Tomcat7. S
Bugzilla
CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application
bugzilla·2010-11-23·CVSS 4.3
CVE-2010-4172 [MEDIUM] CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application
CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application
A cross-site-scripting flaw was discovered in the manager application. It reflected the user provided parameters sort and orderBy directly without filtering applied.
The issue affects Tomcat 6 (impact=moderate):
From 6.0.12 to 6.0.29 and was fixed in r1037779:
http://svn.apache.org/viewvc?rev=1037779&view=rev
Upstream 6.0.30 will correct this flaw as noted:
http://tomcat.apache.org/security-6.html
The issue affects Tomcat 7 (impact=low, as caught by CSRF protection) :
From 7.0.0 to 7.0.4 and was fixed in r1037778:
http://svn.apache.org/viewvc?rev=1037778&view=rev
Upstream 7.0.5 will correct this flaw as noted:
http://tomcat.apache.org/security-7.html
Discussion:
Tomcat 6.0.30 has been released
http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0285.htmlhttp://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://marc.info/?l=bugtraq&m=139344343412337&w=2http://secunia.com/advisories/42337http://secunia.com/advisories/43019http://secunia.com/advisories/45022http://secunia.com/advisories/57126http://securitytracker.com/id?1024764http://support.apple.com/kb/HT5002http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.htmlhttp://svn.apache.org/viewvc?view=revision&revision=1037778http://svn.apache.org/viewvc?view=revision&revision=1037779http://tomcat.apache.org/security-6.htmlhttp://tomcat.apache.org/security-7.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0791.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0896.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0897.htmlhttp://www.securityfocus.com/archive/1/514866/100/0/threadedhttp://www.securityfocus.com/bid/45015http://www.ubuntu.com/usn/USN-1048-1http://www.vupen.com/english/advisories/2010/3047http://www.vupen.com/english/advisories/2011/0203https://bugzilla.redhat.com/show_bug.cgi?id=656246https://exchange.xforce.ibmcloud.com/vulnerabilities/63422http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0285.htmlhttp://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://marc.info/?l=bugtraq&m=139344343412337&w=2http://secunia.com/advisories/42337http://secunia.com/advisories/43019http://secunia.com/advisories/45022http://secunia.com/advisories/57126http://securitytracker.com/id?1024764http://support.apple.com/kb/HT5002http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.htmlhttp://svn.apache.org/viewvc?view=revision&revision=1037778http://svn.apache.org/viewvc?view=revision&revision=1037779http://tomcat.apache.org/security-6.htmlhttp://tomcat.apache.org/security-7.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0791.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0896.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0897.htmlhttp://www.securityfocus.com/archive/1/514866/100/0/threadedhttp://www.securityfocus.com/bid/45015http://www.ubuntu.com/usn/USN-1048-1http://www.vupen.com/english/advisories/2010/3047http://www.vupen.com/english/advisories/2011/0203https://bugzilla.redhat.com/show_bug.cgi?id=656246https://exchange.xforce.ibmcloud.com/vulnerabilities/63422
2010-11-26
Published