tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carl K." <>
Subject Vulnerability from PCI scan
Date Tue, 01 Nov 2016 21:11:25 GMT
Control Scan has returned this as a vulnerability in Tomcat 8.0.38:

Vulnerable version of Apache Tomcat: 8.0.38

Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_dev_tomcatver

Details: 404 Error Page Cross Site Scripting Vulnerability
Apache Tomcat is prone to a cross-site scripting vulnerability because 
it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in 
the browser
of an unsuspecting user in the context of the affected site.
Apache Tomcat mitigates HTTP_PROXY environment variable "httpoxy" issue

I have read everything I can find and it still doesn't make sense... can 
someone help to point me in the correct direction?

I am further puzzled because this is the first time this has come up and 
we run Tomcat for years... note that the date is listed as 12-21-2009.



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message