Search for packages
| purl | pkg:apache/tomcat@4.1.36 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27q8-96un-9fbk
Aliases: CVE-2007-1355 GHSA-4c6x-gfc8-c26r |
Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors. |
Affected by 3 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6p3e-4u8s-17ep
Aliases: CVE-2007-3385 GHSA-6j8f-66vh-39mj |
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-7969-7a8h-zyhh
Aliases: CVE-2007-3382 GHSA-qff8-g48j-pwpw |
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-88v7-kc2y-bfd7
Aliases: CVE-2007-5461 GHSA-v5p2-vg3c-pmrr |
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-mp3r-5531-uqg5
Aliases: CVE-2005-3164 GHSA-qhqv-q4xg-f6g7 |
The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when "unsuitable request body data" is used for a different request, possibly related to Java Servlet pages. |
Affected by 3 other vulnerabilities. |
|
VCID-p45v-qpgg-qqfj
Aliases: CVE-2007-3383 GHSA-wjwr-3jch-479j |
Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages. |
Affected by 3 other vulnerabilities. |
|
VCID-peya-mr7j-vugf
Aliases: CVE-2007-2449 GHSA-hc39-rjwp-qffq |
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-tcju-3rvu-wkht
Aliases: CVE-2007-2450 GHSA-5c5p-jxvx-x7j2 |
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-v94p-bxm3-akfd
Aliases: CVE-2007-5333 GHSA-cww4-vj5r-rx57 |
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-6epr-2hbd-skcz | Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." |
CVE-2005-2090
GHSA-f2gq-p6qv-ccw4 |
| VCID-87p8-zvvf-y7dm | Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache. |
CVE-2007-0450
GHSA-4prh-gqw8-rgh5 |
| VCID-qxkf-4ddv-j3b7 | Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616". |
CVE-2007-1358
GHSA-xmc9-6p56-3c4v |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:20.161294+00:00 | Apache Tomcat Importer | Fixing | VCID-qxkf-4ddv-j3b7 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.127259+00:00 | Apache Tomcat Importer | Fixing | VCID-87p8-zvvf-y7dm | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.092889+00:00 | Apache Tomcat Importer | Fixing | VCID-6epr-2hbd-skcz | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.053848+00:00 | Apache Tomcat Importer | Affected by | VCID-88v7-kc2y-bfd7 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.024321+00:00 | Apache Tomcat Importer | Affected by | VCID-v94p-bxm3-akfd | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.996826+00:00 | Apache Tomcat Importer | Affected by | VCID-6p3e-4u8s-17ep | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.966603+00:00 | Apache Tomcat Importer | Affected by | VCID-p45v-qpgg-qqfj | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.932565+00:00 | Apache Tomcat Importer | Affected by | VCID-7969-7a8h-zyhh | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.900705+00:00 | Apache Tomcat Importer | Affected by | VCID-tcju-3rvu-wkht | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.867182+00:00 | Apache Tomcat Importer | Affected by | VCID-peya-mr7j-vugf | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.834648+00:00 | Apache Tomcat Importer | Affected by | VCID-27q8-96un-9fbk | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.798454+00:00 | Apache Tomcat Importer | Affected by | VCID-mp3r-5531-uqg5 | https://tomcat.apache.org/security-4.html | 38.0.0 |