Search for packages
| purl | pkg:apache/tomcat@4.1.37 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-a9cu-fxqw-xkdg
Aliases: CVE-2008-1232 GHSA-q74x-qqhr-f8rx |
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-acmu-9eqb-fya5
Aliases: CVE-2008-2370 GHSA-m8h8-6rvg-f4mg |
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-qdck-q54n-rkcv
Aliases: CVE-2008-0128 |
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-27q8-96un-9fbk | Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors. |
CVE-2007-1355
GHSA-4c6x-gfc8-c26r |
| VCID-6p3e-4u8s-17ep | Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. |
CVE-2007-3385
GHSA-6j8f-66vh-39mj |
| VCID-7969-7a8h-zyhh | Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks. |
CVE-2007-3382
GHSA-qff8-g48j-pwpw |
| VCID-88v7-kc2y-bfd7 | Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag. |
CVE-2007-5461
GHSA-v5p2-vg3c-pmrr |
| VCID-mp3r-5531-uqg5 | The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when "unsuitable request body data" is used for a different request, possibly related to Java Servlet pages. |
CVE-2005-3164
GHSA-qhqv-q4xg-f6g7 |
| VCID-p45v-qpgg-qqfj | Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages. |
CVE-2007-3383
GHSA-wjwr-3jch-479j |
| VCID-peya-mr7j-vugf | Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence. |
CVE-2007-2449
GHSA-hc39-rjwp-qffq |
| VCID-tcju-3rvu-wkht | Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors. |
CVE-2007-2450
GHSA-5c5p-jxvx-x7j2 |
| VCID-v94p-bxm3-akfd | Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385. |
CVE-2007-5333
GHSA-cww4-vj5r-rx57 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:20.056017+00:00 | Apache Tomcat Importer | Fixing | VCID-88v7-kc2y-bfd7 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.026407+00:00 | Apache Tomcat Importer | Fixing | VCID-v94p-bxm3-akfd | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.999033+00:00 | Apache Tomcat Importer | Fixing | VCID-6p3e-4u8s-17ep | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.968706+00:00 | Apache Tomcat Importer | Fixing | VCID-p45v-qpgg-qqfj | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.934633+00:00 | Apache Tomcat Importer | Fixing | VCID-7969-7a8h-zyhh | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.902911+00:00 | Apache Tomcat Importer | Fixing | VCID-tcju-3rvu-wkht | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.869134+00:00 | Apache Tomcat Importer | Fixing | VCID-peya-mr7j-vugf | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.836742+00:00 | Apache Tomcat Importer | Fixing | VCID-27q8-96un-9fbk | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.800134+00:00 | Apache Tomcat Importer | Fixing | VCID-mp3r-5531-uqg5 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.762454+00:00 | Apache Tomcat Importer | Affected by | VCID-acmu-9eqb-fya5 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.734069+00:00 | Apache Tomcat Importer | Affected by | VCID-a9cu-fxqw-xkdg | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.705685+00:00 | Apache Tomcat Importer | Affected by | VCID-qdck-q54n-rkcv | https://tomcat.apache.org/security-4.html | 38.0.0 |