[Japanese]
|
JVNDB-2007-000297
|
Apache Tomcat Accept-Language Header Cross-Site Scripting Vulnerability
|
Apache Tomcat from the Apache Software Foundation contains a cross-site scripting vulnerability in the Accept-Language header handling.
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a cross-site scripting vulnerability. It occurs when the value of the Accept-Language header sent from a client is non-standard.
The vendor has confirmed that this vulnerability occurs when an outdated version of Flash is used.
|
CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
Apache Software Foundation
- Apache Tomcat 4.0.0 - 4.0.6
- Apache Tomcat 4.1.0 - 4.1.34
- Apache Tomcat 5.0.0 - 5.0.30
- Apache Tomcat 5.5.0 - 5.5.20
- Apache Tomcat 6.0.0 - 6.0.5
Apple Inc.
- Apple Mac OS X Server v10.4.10
Sun Microsystems, Inc.
- Sun Solaris 10 (sparc)
- Sun Solaris 10 (x86)
- Sun Solaris 9 (sparc)
- Sun Solaris 9 (x86)
Hewlett-Packard Development Company, L.P
- HP-UX 11.11
- HP-UX 11.23
- HP-UX 11.31
MIRACLE LINUX CORPORATION
- Asianux Server 2.0
- Asianux Server 2.1
NEC Corporation
- WebOTX Application Server 6
- WebOTX Application Server 7
Hitachi, Ltd
- Cosminexus Application Server Enterprise Version 6
- Cosminexus Application Server Standard Version 6
- Cosminexus Application Server Version 5
- Cosminexus Developer Standard Version 6
- Cosminexus Developer Professional Version 6
- Cosminexus Developer Light Version 6
- Cosminexus Developer Version 5
- uCosminexus Application Server Server Enterprise
- uCosminexus Application Server Server Standard
- uCosminexus Application Server Server Smart Edition
- uCosminexus Developer Standard
- uCosminexus Developer Professional
- uCosminexus Developer Light
- uCosminexus Service Platform
- uCosminexus Service Architect
FUJITSU
- Interstage Application Framework Suite
- Interstage Application Server
- Interstage Apworks /Studio
- Interstage Business Application Server
- Interstage Job Workload Server
- Interstage Web Server
|
|
An arbitrary script may be executed on the user's web browser.
|
[Update the software]
Apply the latest updates provided by the vendor.
For more information, refer to the vendor's website.
|
Apache Software Foundation
Apple Inc.
Sun Microsystems, Inc.
- Sun Alert Notification : 239312
Hewlett-Packard Development Company, L.P
MIRACLE LINUX CORPORATION
NEC Corporation
- NEC Security Information : NV08-003 (Japanese)
Hitachi, Ltd
- Hitachi Software Vulnerability Information : HS08-013
FUJITSU
- FUJITSU Security Information : JVN#16535199 (Japanese)
- Fujitsu Software Security Patches & Updates : CVE-2007-1358 (Japanese)
|
- Cross-site Scripting(CWE-79) [NVD Evaluation]
|
- CVE-2007-1358
|
- JVN : JVN#16535199
- National Vulnerability Database (NVD) : CVE-2007-1358
- Secunia Advisory : SA25721
- SecurityFocus : 24524
- SecurityTracker : 1018269
- FrSIRT Advisories : FrSIRT/ADV-2007-1729
|
- [2008/05/21]
Web page published
[2008/06/10]
Affected Products : Added NEC Corporation (NV08-003).
Vendor Information : Added NEC Corporation (NV08-003).
[2008/07/04]
Affected Products : Added Hitachi, Ltd (HS08-013).
Vendor Information : Added Hitachi, Ltd (HS08-013).
[2008/07/11]
Affected Products : Added Sun Microsystems, Inc. (239312).
Vendor Information : Added Sun Microsystems, Inc. (239312).
|