According to http://tomcat.apache.org/security-5.html low: Cross-site scripting CVE-2007-2450 The Manager and Host Manager web applications did not escape user provided data before including it in the output. This enabled a XSS attack. These applciations now filter the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed. Affects: 5.0.0-5.0.30, 5.5.0-5.5.24 Example: <form action="http://example.com:8080/manager/html/upload" method="post" enctype="multipart/form-data"> <INPUT TYPE="hidden" NAME='deployWar";filename="<script>alert()</script>" Content-Type: image/gif' VALUE="abc"> <input type="submit"> </form>
tomcat5-5.5.25-1jpp.1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.