Apache Tomcat /servlet Mapping XSS

This script is Copyright (C) 2002-2015 Matt Moore

Synopsis :

The remote web server is affected by a cross-site scripting issue.

Description :

Apache Tomcat is the servlet container that is used in the official
Reference Implementation for the Java Servlet and JavaServer Pages

By using the /servlet/ mapping to invoke various servlets / classes it
is possible to cause Tomcat to throw an exception, allowing XSS

See also :


Solution :

The 'invoker' servlet (mapped to /servlet/), which executes anonymous
servlet classes that have not been defined in a web.xml file should be

The entry for this can be found in the
/tomcat-install-dir/conf/web.xml file.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 4.3
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 11041 (apache_Tomcat_Servlet_XSS.nasl)

Bugtraq ID: 5193

CVE ID: CVE-2002-0682