Vulnerabilities > Apache > Tomcat
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2011-05-07 | CVE-2011-1570 | Cross-Site Scripting vulnerability in Liferay Portal Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030. | 3.5 |
| 2011-05-07 | CVE-2011-1503 | Information Exposure vulnerability in Liferay Portal The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL. | 3.5 |
| 2011-05-07 | CVE-2011-1502 | Information Exposure vulnerability in Liferay Portal Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue. | 4.0 |
| 2011-04-08 | CVE-2011-1475 | Improper Input Validation vulnerability in Apache Tomcat The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." | 5.0 |
| 2010-11-26 | CVE-2010-4312 | Configuration vulnerability in Apache Tomcat The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie. | 6.4 |
| 2010-08-05 | CVE-2009-2696 | Cross-Site Scripting vulnerability in Apache Tomcat Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781. | 4.3 |
| 2009-06-05 | CVE-2009-0783 | Information Exposure vulnerability in Apache Tomcat Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. | 4.2 |
| 2008-02-12 | CVE-2008-0002 | Remote Information Disclosure vulnerability in Apache Tomcat Parameter Processing Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception. network apache | 5.8 |
| 2007-09-05 | CVE-2007-4724 | Cross-Site Request Forgery (CSRF) vulnerability in Apache Tomcat 4.1.31 Cross-site request forgery (CSRF) vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters. | 4.3 |
| 2007-08-14 | CVE-2007-3386 | Cross-Site Scripting vulnerability in Apache Tomcat Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action. | 4.3 |