CVE-2011-0013

NameCVE-2011-0013
DescriptionMultiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2160-1
NVD severitymedium (attack range: remote)
Debian Bugs612257

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.45+dfsg-1~deb7u1fixed
wheezy (security)6.0.45+dfsg-1~deb7u5fixed
jessie (security), jessie6.0.45+dfsg-1~deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat5.5source(unstable)(unfixed)low
tomcat6source(unstable)6.0.28-10medium612257
tomcat6sourcelenny(not affected)
tomcat6sourcesqueeze6.0.28-9+squeeze1mediumDSA-2160-1

Notes

[lenny] - tomcat5.5 <no-dsa> (Minor issue)
[lenny] - tomcat6 <not-affected> (Only ships the servlet package)

Search for package or bug name: Reporting problems