Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-34305

CWE-79Cross-site Scripting (XSS)14 documents10 sources
Severity
6.1MEDIUM
EPSS
16.9%
top 5.04%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache TomcatApache Software Foundation Apache Tomcat
Timeline
PublishedJun 23
Latest updateApr 15

Description

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

Mavenorg.apache.tomcat:tomcat10.1.0-M110.1.0-M17+3
NVDapache/tomcat8.5.508.5.81+3
Debiantomcat9< 9.0.65-1+3

🔴Vulnerability Details

5
OSV
Cross-site Scripting in Apache Tomcat2022-06-24
GHSA
Cross-site Scripting in Apache Tomcat2022-06-24
OSV
CVE-2022-34305: In Apache Tomcat 102022-06-23
CVEList
XSS in examples web application2022-06-23
VulnCheck
Apache Tomcat Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2022

💥Exploits & PoCs

2
Nuclei
Apache Tomcat Examples Web Application - Cross-Site Scripting
Nuclei
Apache Tomcat - Default Login Discovery

📋Vendor Advisories

6
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: MFT Runtime Server (Apache Tomcat) — CVE-2022-343052023-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Backend Server (Apache Tomcat) — CVE-2022-343052023-01-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: REST API (Apache Tomcat) — CVE-2022-343052022-10-15
Red Hat
tomcat: XSS in examples web application2022-06-23
Debian
CVE-2022-34305: tomcat9 - In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64...2022
CVE-2022-34305 (MEDIUM CVSS 6.1) | In Apache Tomcat 10.1.0-M1 to 10.1. | cvebase.io