Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2011-0013 First vendor Publication 2011-02-18
Vendor Cve Last vendor Modification 2019-03-25

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12878
 
Oval ID: oval:org.mitre.oval:def:12878
Title: HP-UX Apache Web Server, Remote Information Disclosure, Cross-Site Scripting (XSS), Denial of Service (DoS)
Description: Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0013
Version: 13
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14945
 
Oval ID: oval:org.mitre.oval:def:14945
Title: HP-UX Apache Running Tomcat Servlet Engine, Remote Information Disclosure, Authentication Bypass, Cross-Site Scripting (XSS), Unauthorized Access, Denial of Service (DoS)
Description: Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0013
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19269
 
Oval ID: oval:org.mitre.oval:def:19269
Title: HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Access Restriction Bypass, Unauthorized Modification and Other Vulnerabilities
Description: Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0013
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21956
 
Oval ID: oval:org.mitre.oval:def:21956
Title: RHSA-2011:0791: tomcat6 security and bug fix update (Moderate)
Description: Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Family: unix Class: patch
Reference(s): RHSA-2011:0791-01
CVE-2010-3718
CVE-2010-4172
CVE-2011-0013
Version: 42
Platform(s): Red Hat Enterprise Linux 6
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23523
 
Oval ID: oval:org.mitre.oval:def:23523
Title: ELSA-2011:0791: tomcat6 security and bug fix update (Moderate)
Description: Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Family: unix Class: patch
Reference(s): ELSA-2011:0791-01
CVE-2010-3718
CVE-2010-4172
CVE-2011-0013
Version: 17
Platform(s): Oracle Linux 6
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28146
 
Oval ID: oval:org.mitre.oval:def:28146
Title: DEPRECATED: ELSA-2011-0791 -- tomcat6 security and bug fix update (moderate)
Description: [6.0.24-33] - resolves: rhbz 695284 - multiple instances logging fiasco [6.0.24-32] - Resolves: rhbz 698624 - inet4address can't be cast to String [6.0.24-31] - Resolves: rhbz 656403 - cve-2010-4172 jsp syntax error [6.0.24-30] - Resolves: rhbz#697504 initscript logging location [6.0.24-29] - Resolves: rhbz#656403, rhbz#675926, rhbz#676011 - CVE-2010-4172, CVE-2010-3718, CVE-2011-0013, CVE-2010-4476, - CVE-2011-0534 [6.0.24-28] - Resovles rhbz#695284 - wrapper logs to different locations - CVE-2010-4172, CVE-2011-0013, CVE-2010-3718 commented out - until needed. [6.0.24-27] - naming-factory-dbcp missing fix in tomcat6.conf - Add Obsoletes for log4j [6.0.24-26] - Add log4j to package lib. Corrected typo in log4 Provides - epock versus epoch [6.0.24-25] - Installed permissions do not allow tomcat to start - incrementing NVR so yum won't get confused with the zstream
Family: unix Class: patch
Reference(s): ELSA-2011-0791
CVE-2010-3718
CVE-2010-4172
CVE-2011-0013
Version: 4
Platform(s): Oracle Linux 6
Product(s): tomcat6
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 65

OpenVAS Exploits

Date Description
2012-08-10 Name : Gentoo Security Advisory GLSA 201206-24 (apache tomcat)
File : nvt/glsa_201206_24.nasl
2012-07-30 Name : CentOS Update for tomcat5 CESA-2011:1845 centos5 x86_64
File : nvt/gb_CESA-2011_1845_tomcat5_centos5_x86_64.nasl
2012-06-06 Name : RedHat Update for tomcat6 RHSA-2011:0791-01
File : nvt/gb_RHSA-2011_0791-01_tomcat6.nasl
2011-12-23 Name : CentOS Update for tomcat5 CESA-2011:1845 centos5 i386
File : nvt/gb_CESA-2011_1845_tomcat5_centos5_i386.nasl
2011-12-23 Name : RedHat Update for tomcat5 RHSA-2011:1845-01
File : nvt/gb_RHSA-2011_1845-01_tomcat5.nasl
2011-10-21 Name : Fedora Update for tomcat6 FEDORA-2011-13457
File : nvt/gb_fedora_2011_13457_tomcat6_fc14.nasl
2011-10-20 Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-006)
File : nvt/gb_macosx_su11-006.nasl
2011-05-05 Name : HP-UX Update for Apache Web Server HPSBUX02645
File : nvt/gb_hp_ux_HPSBUX02645.nasl
2011-04-01 Name : Ubuntu Update for tomcat6 vulnerabilities USN-1097-1
File : nvt/gb_ubuntu_USN_1097_1.nasl
2011-03-07 Name : Debian Security Advisory DSA 2160-1 (tomcat6)
File : nvt/deb_2160_1.nasl
2011-03-05 Name : FreeBSD Ports: tomcat55
File : nvt/freebsd_tomcat55.nasl
2011-02-22 Name : Mandriva Update for tomcat5 MDVSA-2011:030 (tomcat5)
File : nvt/gb_mandriva_MDVSA_2011_030.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
71557 Apache Tomcat HTML Manager Multiple XSS

The HTML Manager Interface in Apache Tomcat contains multiple flaws that allow a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input related to the display-name tag before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Nessus® Vulnerability Scanner

Date Description
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_3_tomcat6-110211.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-1845.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110519_tomcat6_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20111220_tomcat5_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-06-25 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201206-24.nasl - Type : ACT_GATHER_INFO
2011-12-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-1845.nasl - Type : ACT_GATHER_INFO
2011-12-21 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-1845.nasl - Type : ACT_GATHER_INFO
2011-10-21 Name : The remote Fedora host is missing a security update.
File : fedora_2011-13457.nasl - Type : ACT_GATHER_INFO
2011-10-13 Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2011-006.nasl - Type : ACT_GATHER_INFO
2011-05-20 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0791.nasl - Type : ACT_GATHER_INFO
2011-05-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_tomcat6-110211.nasl - Type : ACT_GATHER_INFO
2011-03-30 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1097-1.nasl - Type : ACT_GATHER_INFO
2011-03-18 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12687.nasl - Type : ACT_GATHER_INFO
2011-03-03 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_tomcat5-7337.nasl - Type : ACT_GATHER_INFO
2011-02-20 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-030.nasl - Type : ACT_GATHER_INFO
2011-02-16 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_553ec4ed38d611e094b1000c29ba66d2.nasl - Type : ACT_GATHER_INFO
2011-02-14 Name : The remote web server is affected by multiple vulnerabilities.
File : tomcat_6_0_30.nasl - Type : ACT_GATHER_INFO
2011-02-14 Name : The remote web server is affected by a cross-site scripting vulnerability.
File : tomcat_7_0_6.nasl - Type : ACT_GATHER_INFO
2011-02-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2160.nasl - Type : ACT_GATHER_INFO
2011-02-11 Name : The remote web server is affected by a cross-site scripting vulnerability.
File : tomcat_5_5_32.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
APPLE http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
BID http://www.securityfocus.com/bid/46174
BUGTRAQ http://www.securityfocus.com/archive/1/516209/30/90/threaded
CONFIRM http://support.apple.com/kb/HT5002
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_50985...
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_(releas...
DEBIAN http://www.debian.org/security/2011/dsa-2160
HP http://marc.info/?l=bugtraq&m=130168502603566&w=2
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2011:030
MISC https://bugzilla.redhat.com/show_bug.cgi?id=675786
MLIST https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efb...
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c8...
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471...
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca45...
OVAL https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
REDHAT http://www.redhat.com/support/errata/RHSA-2011-0791.html
http://www.redhat.com/support/errata/RHSA-2011-0896.html
http://www.redhat.com/support/errata/RHSA-2011-0897.html
http://www.redhat.com/support/errata/RHSA-2011-1845.html
SECTRACK http://www.securitytracker.com/id?1025026
SECUNIA http://secunia.com/advisories/43192
http://secunia.com/advisories/45022
http://secunia.com/advisories/57126
SREASON http://securityreason.com/securityalert/8093
SUSE http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
VUPEN http://www.vupen.com/english/advisories/2011/0376

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Date Informations
2020-05-23 00:27:29
  • Multiple Updates
2019-03-25 17:18:57
  • Multiple Updates
2019-03-21 21:19:09
  • Multiple Updates
2019-03-19 12:03:58
  • Multiple Updates
2018-08-14 00:19:29
  • Multiple Updates
2017-09-19 09:24:07
  • Multiple Updates
2016-08-23 09:24:41
  • Multiple Updates
2016-04-26 20:26:49
  • Multiple Updates
2014-06-14 13:29:59
  • Multiple Updates
2014-03-18 13:22:00
  • Multiple Updates
2014-03-08 13:21:39
  • Multiple Updates
2014-02-17 10:59:14
  • Multiple Updates
2014-02-12 13:22:06
  • Multiple Updates
2013-12-05 17:19:06
  • Multiple Updates
2013-11-15 13:19:50
  • Multiple Updates
2013-06-05 13:19:30
  • Multiple Updates
2013-05-10 22:51:39
  • Multiple Updates
2012-11-07 05:19:57
  • Multiple Updates