According to http://tomcat.apache.org/security-5.html "Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page." Affects: 5.0.0-5.0.30, 5.5.0-5.5.6
This has been corrected in various versions of Satellite: https://access.redhat.com/security/cve/CVE-2005-4838