Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-a9cu-fxqw-xkdg
Vulnerability ID VCID-a9cu-fxqw-xkdg
Aliases CVE-2008-1232
GHSA-q74x-qqhr-f8rx
Summary Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.
Status Published
Exploitability 2.0
Weighted Severity 6.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15/ca20090615-02-ca-service-desk-tomcat-cross-site-scripting-vulnerability.aspx
generic_textual MODERATE http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
generic_textual MODERATE http://marc.info/?l=bugtraq&m=123376588623823&w=2
generic_textual MODERATE http://marc.info/?l=bugtraq&m=139344343412337&w=2
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2008:0648
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2008:0862
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2008:0864
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2008:0877
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2008:1007
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2010:0602
generic_textual MODERATE https://access.redhat.com/security/cve/CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
epss 0.38145 https://api.first.org/data/v1/epss?cve=CVE-2008-1232
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=457597
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
generic_textual MODERATE http://secunia.com/advisories/31379
generic_textual MODERATE http://secunia.com/advisories/31381
generic_textual MODERATE http://secunia.com/advisories/31639
generic_textual MODERATE http://secunia.com/advisories/31865
generic_textual MODERATE http://secunia.com/advisories/31891
generic_textual MODERATE http://secunia.com/advisories/31982
generic_textual MODERATE http://secunia.com/advisories/32120
generic_textual MODERATE http://secunia.com/advisories/32222
generic_textual MODERATE http://secunia.com/advisories/32266
generic_textual MODERATE http://secunia.com/advisories/33797
generic_textual MODERATE http://secunia.com/advisories/33999
generic_textual MODERATE http://secunia.com/advisories/34013
generic_textual MODERATE http://secunia.com/advisories/35474
generic_textual MODERATE http://secunia.com/advisories/36108
generic_textual MODERATE http://secunia.com/advisories/37460
generic_textual MODERATE http://secunia.com/advisories/57126
generic_textual MODERATE http://securityreason.com/securityalert/4098
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/44155
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q74x-qqhr-f8rx
generic_textual MODERATE https://github.com/apache/tomcat
generic_textual MODERATE https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2008-1232
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2008-1232
generic_textual MODERATE https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11181
generic_textual MODERATE https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5985
generic_textual MODERATE https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209500
generic_textual MODERATE https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214095
generic_textual MODERATE http://support.apple.com/kb/HT3216
generic_textual MODERATE http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm
generic_textual MODERATE https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html
generic_textual MODERATE https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html
generic_textual MODERATE https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html
generic_textual MODERATE http://tomcat.apache.org/security-4.html
generic_textual MODERATE http://tomcat.apache.org/security-5.html
generic_textual MODERATE http://tomcat.apache.org/security-6.html
generic_textual MODERATE http://www.mandriva.com/security/advisories?name=MDVSA-2008:188
generic_textual MODERATE http://www.redhat.com/support/errata/RHSA-2008-0648.html
generic_textual MODERATE http://www.redhat.com/support/errata/RHSA-2008-0862.html
generic_textual MODERATE http://www.redhat.com/support/errata/RHSA-2008-0864.html
generic_textual MODERATE http://www.securityfocus.com/archive/1/495021/100/0/threaded
generic_textual MODERATE http://www.securityfocus.com/archive/1/504351/100/0/threaded
generic_textual MODERATE http://www.securityfocus.com/archive/1/505556/100/0/threaded
generic_textual MODERATE http://www.securityfocus.com/archive/1/507985/100/0/threaded
generic_textual MODERATE http://www.securityfocus.com/bid/30496
generic_textual MODERATE http://www.securityfocus.com/bid/31681
generic_textual MODERATE http://www.securitytracker.com/id?1020622
generic_textual MODERATE http://www.vmware.com/security/advisories/VMSA-2009-0002.html
generic_textual MODERATE http://www.vmware.com/security/advisories/VMSA-2009-0016.html
generic_textual MODERATE http://www.vupen.com/english/advisories/2008/2305
generic_textual MODERATE http://www.vupen.com/english/advisories/2008/2780
generic_textual MODERATE http://www.vupen.com/english/advisories/2008/2823
generic_textual MODERATE http://www.vupen.com/english/advisories/2009/0320
generic_textual MODERATE http://www.vupen.com/english/advisories/2009/0503
generic_textual MODERATE http://www.vupen.com/english/advisories/2009/1609
generic_textual MODERATE http://www.vupen.com/english/advisories/2009/2194
generic_textual MODERATE http://www.vupen.com/english/advisories/2009/3316
Reference id Reference type URL
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15/ca20090615-02-ca-service-desk-tomcat-cross-site-scripting-vulnerability.aspx
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
http://marc.info/?l=bugtraq&m=123376588623823&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
https://access.redhat.com/errata/RHSA-2008:0648
https://access.redhat.com/errata/RHSA-2008:0862
https://access.redhat.com/errata/RHSA-2008:0864
https://access.redhat.com/errata/RHSA-2008:0877
https://access.redhat.com/errata/RHSA-2008:1007
https://access.redhat.com/errata/RHSA-2010:0602
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-1232.json
https://api.first.org/data/v1/epss?cve=CVE-2008-1232
https://bugzilla.redhat.com/show_bug.cgi?id=457597
http://secunia.com/advisories/31379
http://secunia.com/advisories/31381
http://secunia.com/advisories/31639
http://secunia.com/advisories/31865
http://secunia.com/advisories/31891
http://secunia.com/advisories/31982
http://secunia.com/advisories/32120
http://secunia.com/advisories/32222
http://secunia.com/advisories/32266
http://secunia.com/advisories/33797
http://secunia.com/advisories/33999
http://secunia.com/advisories/34013
http://secunia.com/advisories/35474
http://secunia.com/advisories/36108
http://secunia.com/advisories/37460
http://secunia.com/advisories/57126
http://securityreason.com/securityalert/4098
https://exchange.xforce.ibmcloud.com/vulnerabilities/44155
https://github.com/apache/tomcat
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11181
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5985
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209500
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214095
https://svn.apache.org/viewvc?view=rev&rev=673834
https://svn.apache.org/viewvc?view=rev&rev=680947
http://support.apple.com/kb/HT3216
http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://www.mandriva.com/security/advisories?name=MDVSA-2008:188
http://www.redhat.com/support/errata/RHSA-2008-0648.html
http://www.redhat.com/support/errata/RHSA-2008-0862.html
http://www.redhat.com/support/errata/RHSA-2008-0864.html
http://www.securityfocus.com/archive/1/495021/100/0/threaded
http://www.securityfocus.com/archive/1/504351/100/0/threaded
http://www.securityfocus.com/archive/1/505556/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/bid/30496
http://www.securityfocus.com/bid/31681
http://www.securitytracker.com/id?1020622
http://www.vmware.com/security/advisories/VMSA-2009-0002.html
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2008/2305
http://www.vupen.com/english/advisories/2008/2780
http://www.vupen.com/english/advisories/2008/2823
http://www.vupen.com/english/advisories/2009/0320
http://www.vupen.com/english/advisories/2009/0503
http://www.vupen.com/english/advisories/2009/1609
http://www.vupen.com/english/advisories/2009/2194
http://www.vupen.com/english/advisories/2009/3316
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
CVE-2008-1232 https://access.redhat.com/security/cve/CVE-2008-1232
CVE-2008-1232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
CVE-2008-1232 https://nvd.nist.gov/vuln/detail/CVE-2008-1232
CVE-2008-1232;OSVDB-47462 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/32138.txt
CVE-2008-1232;OSVDB-47462 Exploit https://www.securityfocus.com/bid/30496/info
GHSA-q74x-qqhr-f8rx https://github.com/advisories/GHSA-q74x-qqhr-f8rx
Data source Exploit-DB
Date added Aug. 1, 2008
Description Apache Tomcat 6.0.16 - 'HttpServletResponse.sendError()' Cross-Site Scripting
Ransomware campaign use Known
Source publication date Aug. 1, 2008
Exploit type remote
Platform multiple
Source update date March 10, 2014
Source URL https://www.securityfocus.com/bid/30496/info
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2008-1232
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.97192
EPSS Score 0.38145
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:17.578675+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-6.html 38.0.0