CVE-2011-0013
published 2011-02-19CVE-2011-0013: Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6…
PriorityP423medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
10.23%
95.1th percentile
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Affected
65 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat5.9MEDIUM
vendor_ubuntu1.2LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
ghsa·2022-05-03
CVE-2011-0013 [MEDIUM] CWE-79 Improper Neutralization of Input During Web Page Generation in Apache Tomcat
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
OSV
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
osv·2022-05-03
CVE-2011-0013 [MEDIUM] Improper Neutralization of Input During Web Page Generation in Apache Tomcat
Improper Neutralization of Input During Web Page Generation in Apache Tomcat
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Red Hat
libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
vendor_redhat·2011-12-09·CVSS 5.9
CVE-2011-4600 [MEDIUM] libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not properly handle firewall rules on bridge networks when libvirtd is restarted, which might allow remote attackers to bypass intended access restrictions via a (1) DNS or (2) DHCP query.
Statement: This issue affect Red Hat Enterprise Linux 6 and has been addressed via
https://rhn.redhat.com/errata/RHBA-2012-0013.html. Red Hat Enterprise Linux 5 is
not affected. The Red Hat Security Response Team has rated this issue as having
low security impact. For additional information, refer to the Issue Severity
Classification: https://access.redhat.com/security/updates/classification/.
P
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2011-03-29·CVSS 1.2
CVE-2010-3718 [LOW] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: An attacker could send crafted input to Tomcat and cause it to crash or
read and write arbitrary files.
It was discovered that the Tomcat SecurityManager did not properly restrict
the working directory. An attacker could use this flaw to read or write
files outside of the intended working directory. (CVE-2010-3718)
It was discovered that Tomcat did not properly escape certain parameters in
the Manager application which could result in browsers becoming vulnerable
to cross-site scripting attacks when processing the output. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data (such as
passwor
Red Hat
tomcat: XSS vulnerability in HTML Manager interface
vendor_redhat·2011-01-11·CVSS 4.3
CVE-2011-0013 [MEDIUM] CWE-79 tomcat: XSS vulnerability in HTML Manager interface
tomcat: XSS vulnerability in HTML Manager interface
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-4288 CVE-2011-4290 moodle: several flaws fixed in 1.9.12
bugzilla·2011-05-19·CVSS 4.0
CVE-2011-4288 [MEDIUM] CVE-2011-4288 CVE-2011-4290 moodle: several flaws fixed in 1.9.12
CVE-2011-4288 CVE-2011-4290 moodle: several flaws fixed in 1.9.12
Moodle 1.9.12 was released [1] and corrects the following flaws [2]:
MSA-11:0013: When a teacher is assigned to a group they can view quiz reports for all students, not just the students in their group.
MSA-11-0015: A vulnerability assessment done by the Acunetix Web Scanner revealed possible XSS vulnerabilities in pages of Moodle.
Upstream classifies these as major security vulnerabilities.
[1] http://moodle.org/news/
[2] http://moodle.org/security/
Discussion:
Created moodle tracking bugs for this issue
Affects: fedora-all [bug 706282]
Affects: epel-6 [bug 706283]
---
MSA-11-0013 was assigned CVE-2011-4288
MSA-11-0015 was assigned CVE-2011-4290
---
Current Fedora 14/15 have 1.9.14. Current Fedora 16 has 2.0.5.
Bugzilla
CVE-2011-0013 CVE-2010-3718 CVE-2011-0534 tomcat6 various flaws [fedora-all]
bugzilla·2011-02-07·CVSS 1.2
CVE-2011-0013 [LOW] CVE-2011-0013 CVE-2010-3718 CVE-2011-0534 tomcat6 various flaws [fedora-all]
CVE-2011-0013 CVE-2010-3718 CVE-2011-0534 tomcat6 various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=675786
Please note: this issue affects multip
Bugzilla
CVE-2011-0013 CVE-2010-3718 tomcat5 various flaws [fedora-all]
bugzilla·2011-02-07·CVSS 1.2
CVE-2011-0013 [LOW] CVE-2011-0013 CVE-2010-3718 tomcat5 various flaws [fedora-all]
CVE-2011-0013 CVE-2010-3718 tomcat5 various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=675786
Please note: this issue affects multiple supported v
Bugzilla
CVE-2011-0013 tomcat: XSS vulnerability in HTML Manager interface
bugzilla·2011-02-07·CVSS 4.3
CVE-2011-0013 [MEDIUM] CVE-2011-0013 tomcat: XSS vulnerability in HTML Manager interface
CVE-2011-0013 tomcat: XSS vulnerability in HTML Manager interface
Apache Tomcat 5.5.32 and 6.0.30 were released [1],[2] to fix, among other things, an XSS vulnerability in the HTML Manager [3]. The HTML Manager displayed unfiltered web application-provided data that could be used to trigger script execution by an administrative user when viewing the Manager pages, such as:
alert('hi');
For Tomcat 5.5.x, this was fixed in upstream revision 1057518 [4] and for Tomcat 6.x it was fixed in upstream revision 1057270 [5].
[1] http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32
[2] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30
[3] http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0077.html
[4] http://svn.apache.org/viewvc?rev=1057518&view
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.htmlhttp://marc.info/?l=bugtraq&m=130168502603566&w=2http://marc.info/?l=bugtraq&m=132215163318824&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://secunia.com/advisories/43192http://secunia.com/advisories/45022http://secunia.com/advisories/57126http://securityreason.com/securityalert/8093http://support.apple.com/kb/HT5002http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.htmlhttp://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_%28released_14_Jan_2011%29http://www.debian.org/security/2011/dsa-2160http://www.mandriva.com/security/advisories?name=MDVSA-2011:030http://www.redhat.com/support/errata/RHSA-2011-0791.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0896.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0897.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1845.htmlhttp://www.securityfocus.com/archive/1/516209/30/90/threadedhttp://www.securityfocus.com/bid/46174http://www.securitytracker.com/id?1025026http://www.vupen.com/english/advisories/2011/0376https://bugzilla.redhat.com/show_bug.cgi?id=675786https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.htmlhttp://marc.info/?l=bugtraq&m=130168502603566&w=2http://marc.info/?l=bugtraq&m=132215163318824&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://secunia.com/advisories/43192http://secunia.com/advisories/45022http://secunia.com/advisories/57126http://securityreason.com/securityalert/8093http://support.apple.com/kb/HT5002http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.htmlhttp://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_%28released_14_Jan_2011%29http://www.debian.org/security/2011/dsa-2160http://www.mandriva.com/security/advisories?name=MDVSA-2011:030http://www.redhat.com/support/errata/RHSA-2011-0791.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0896.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0897.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1845.htmlhttp://www.securityfocus.com/archive/1/516209/30/90/threadedhttp://www.securityfocus.com/bid/46174http://www.securitytracker.com/id?1025026http://www.vupen.com/english/advisories/2011/0376https://bugzilla.redhat.com/show_bug.cgi?id=675786https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269
2011-02-19
Published