A cross-site-scripting flaw was discovered in the manager application. It reflected the user provided parameters sort and orderBy directly without filtering applied. The issue affects Tomcat 6 (impact=moderate): From 6.0.12 to 6.0.29 and was fixed in r1037779: http://svn.apache.org/viewvc?rev=1037779&view=rev Upstream 6.0.30 will correct this flaw as noted: http://tomcat.apache.org/security-6.html The issue affects Tomcat 7 (impact=low, as caught by CSRF protection) : From 7.0.0 to 7.0.4 and was fixed in r1037778: http://svn.apache.org/viewvc?rev=1037778&view=rev Upstream 7.0.5 will correct this flaw as noted: http://tomcat.apache.org/security-7.html
Tomcat 6.0.30 has been released to fix this flaw: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30
Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 669463]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0791 https://rhn.redhat.com/errata/RHSA-2011-0791.html
Upstream announcement: http://seclists.org/fulldisclosure/2010/Nov/283
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 4 JBEWS 1 for RHEL 6 Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html