CVE-2009-0781

medium

Description

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."

References

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6564

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19345

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11041

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

https://exchange.xforce.ibmcloud.com/vulnerabilities/49213

http://www.vupen.com/english/advisories/2010/3056

http://www.vupen.com/english/advisories/2009/3316

http://www.vupen.com/english/advisories/2009/1856

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.securityfocus.com/archive/1/501538/100/0/threaded

http://www.mandriva.com/security/advisories?name=MDVSA-2009:138

http://www.mandriva.com/security/advisories?name=MDVSA-2009:136

http://www.debian.org/security/2011/dsa-2207

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-4.html

http://support.apple.com/kb/HT4077

http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

http://secunia.com/advisories/42368

http://secunia.com/advisories/37460

http://secunia.com/advisories/35788

http://secunia.com/advisories/35685

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=129070310906557&w=2

http://marc.info/?l=bugtraq&m=127420533226623&w=2

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

Details

Source: Mitre, NVD

Published: 2009-03-09

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Severity: Medium