Apache Tomcat Host Manager cross-site scripting vulnerability


Apache Tomcat, from the Apache Software Foundation, contains a cross-site scripting vulnerability.

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.

The Host Manager Servlet does not properly filter user supplied data. This enables an cross-site scripting attack.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Apache Software Foundation
  • Apache Tomcat 5.5.0 to 5.5.24
  • Apache Tomcat 6.0.0 to 6.0.13
Hewlett-Packard Development Company, L.P
  • HP-UX 11.11
  • HP-UX 11.23
  • HP-UX 11.31
  • Asianux Server 3 (x86)
  • Asianux Server 3 (x86-64)
Red Hat, Inc.
  • Red Hat Enterprise Linux 5 (server)
  • Red Hat Enterprise Linux Desktop 5.0 (client)
  • RHEL Desktop Workstation 5 (client)


An arbitrary script could be executed on the user's web browser who logged into Apache Tomcat Host Manager.

[Update the Software]

We recommend that users of Apache Tomcat 6.0.x upgrade to Apache Tomcat 6.0.14 following the information provided by the vendor.


The fixed version of Apache Tomcat 5.5.x is not available yet.
We recommend that users of Apache Tomcat 5.5.x apply the following workaround.

This issue can be mitigated by logging out (closing the web browser) from the Host Manager when finished.
Vendor Information

Apache Software Foundation Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-3386

  1. JVN : JVN#59851336
  2. National Vulnerability Database (NVD) : CVE-2007-3386
  3. Secunia Advisory : SA26465
  4. SecurityFocus : 25314
  5. FrSIRT Advisories : FrSIRT/ADV-2007-2880
Revision History

  • [2008/05/21]
      Web page published