CVE-2009-0781 — Cross-site scripting in Apache Tomcat

Description

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."

How to fix CVE-2009-0781

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Maven/org.apache.tomcat:tomcat—no fix listed

Is CVE-2009-0781 being exploited?

Moderate — EPSS is 37.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 4.1.0, <= 4.1.39

References (36)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2009-0781
WEBlists.apple.com/archives/security-announce/2010//Mar/msg00001.html
WEBlists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
WEBaccess.redhat.com/errata/RHSA-2009:1164