Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qxkf-4ddv-j3b7
Vulnerability ID VCID-qxkf-4ddv-j3b7
Aliases CVE-2007-1358
GHSA-xmc9-6p56-3c4v
Summary Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual LOW http://docs.info.apple.com/article.html?artnum=306172
generic_textual LOW http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
generic_textual LOW http://rhn.redhat.com/errata/RHSA-2008-0630.html
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
epss 0.39862 https://api.first.org/data/v1/epss?cve=CVE-2007-1358
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358
cvssv3.1_qr LOW https://github.com/advisories/GHSA-xmc9-6p56-3c4v
generic_textual LOW https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
generic_textual LOW https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
generic_textual LOW https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
cvssv2 2.6 https://nvd.nist.gov/vuln/detail/CVE-2007-1358
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2007-1358
generic_textual LOW https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
generic_textual LOW http://tomcat.apache.org/security-4.html
generic_textual LOW http://www.redhat.com/support/errata/RHSA-2008-0261.html
Reference id Reference type URL
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
http://docs.info.apple.com/article.html?artnum=306172
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
http://jvn.jp/jp/JVN%2316535199/index.html
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
http://osvdb.org/34881
http://rhn.redhat.com/errata/RHSA-2008-0630.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-1358.json
https://api.first.org/data/v1/epss?cve=CVE-2007-1358
http://secunia.com/advisories/25721
http://secunia.com/advisories/26235
http://secunia.com/advisories/26660
http://secunia.com/advisories/27037
http://secunia.com/advisories/27727
http://secunia.com/advisories/30899
http://secunia.com/advisories/30908
http://secunia.com/advisories/31493
http://secunia.com/advisories/33668
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10679
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
http://tomcat.apache.org/security-4.html
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.html
http://www.redhat.com/support/errata/RHSA-2008-0261.html
http://www.securityfocus.com/archive/1/471719/100/0/threaded
http://www.securityfocus.com/archive/1/500396/100/0/threaded
http://www.securityfocus.com/archive/1/500412/100/0/threaded
http://www.securityfocus.com/bid/24524
http://www.securityfocus.com/bid/25159
http://www.securitytracker.com/id?1018269
http://www.vupen.com/english/advisories/2007/1729
http://www.vupen.com/english/advisories/2007/2732
http://www.vupen.com/english/advisories/2007/3087
http://www.vupen.com/english/advisories/2007/3386
http://www.vupen.com/english/advisories/2008/1979/references
http://www.vupen.com/english/advisories/2009/0233
244803 https://bugzilla.redhat.com/show_bug.cgi?id=244803
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*
CVE-2007-1358 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358
CVE-2007-1358 https://nvd.nist.gov/vuln/detail/CVE-2007-1358
GHSA-xmc9-6p56-3c4v https://github.com/advisories/GHSA-xmc9-6p56-3c4v
RHSA-2007:0360 https://access.redhat.com/errata/RHSA-2007:0360
RHSA-2007:0876 https://access.redhat.com/errata/RHSA-2007:0876
RHSA-2008:0630 https://access.redhat.com/errata/RHSA-2008:0630
No exploits are available.
Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2007-1358
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.97301
EPSS Score 0.39862
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:18.081180+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-6.html 38.0.0