CVE-2011-0013 — Improper Neutralization of Input During Web Page Generation in Apache Tomcat

Description

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.

How to fix CVE-2011-0013

To remediate CVE-2011-0013, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 5.5.32 or later

Is CVE-2011-0013 being exploited?

Moderate — EPSS is 30.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 5.5.0, < 5.5.32

References (37)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-0013
PATCHgithub.com/apache/tomcat
WEBlists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
WEBlists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
WEB