Apache Tomcat 3.x < 3.2.2 JSP Error Condition XSS

Medium Nessus Plugin ID 50448


The remote Apache Tomcat server is affected by a cross-site scripting vulnerability.


The instance of Apache Tomcat 3.x listening on the remote host is affected by a cross-site scripting vulnerability. An attacker is able to embed JavaScript into a request for a JSP file creating an error condition. The request is not sanitized before being displayed on the application error page.


Update to Apache Tomcat version 3.2.2 or later.

See Also


http://www.mail-archive.com/[email protected]/msg06679.html

Plugin Details

Severity: Medium

ID: 50448

File Name: tomcat_3_2_2.nasl

Version: $Revision: 1.11 $

Type: remote

Family: Web Servers

Published: 2010/11/02

Modified: 2018/01/24

Dependencies: 39446

Risk Information

Risk Factor: Medium


Base Score: 5.1

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:U/RC:C


Base Score: 5.6

Temporal Score: 5.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:H/RL:U/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomcat

Required KB Items: installed_sw/Apache Tomcat

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 2002/08/30

Vulnerability Publication Date: 2001/03/17

Reference Information

CVE: CVE-2001-0829

BID: 2982

OSVDB: 844

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990