Vulnerability Note VU#862600
Apache Tomcat SendMailServlet example vulnerable to cross-site scripting via FROM field
The example SendMailServlet page that comes with Apache Tomcat is vulnerable to cross-site scripting via the "From" field.
Apache Tomcat is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat includes a sample page called SendMailServlet, which is provided by sendmail.jsp. This page fails to properly validate input to the "From" field, which creates a cross-site scripting vulnerability. According to the vendor, the following versions of Apache Tomcat are affected
4.0.0 to 4.0.6
A remote attacker may be able to execute arbitrary script within the security context of the web site running Apache Tomcat. More information about cross-site scripting is available in CERT Advisory CA-2000-02.
Remove the examples web application
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Tomcat||Affected||02 Jul 2007||22 Jul 2007|
CVSS Metrics (Learn More)
Thanks to Tomasz Kuczynski for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: CVE-2007-3383
- Date Public: 21 Jul 2007
- Date First Published: 22 Jul 2007
- Date Last Updated: 22 Jul 2007
- Severity Metric: 3.83
- Document Revision: 7
If you have feedback, comments, or additional information about this vulnerability, please send us email.