Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action.
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554
jvn.jp/jp/JVN%2359851336/index.html
lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
osvdb.org/36417
secunia.com/advisories/26465
secunia.com/advisories/26898
secunia.com/advisories/27037
secunia.com/advisories/27267
secunia.com/advisories/27727
secunia.com/advisories/28317
secunia.com/advisories/33668
securityreason.com/securityalert/3010
securitytracker.com/id?1018558
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
tomcat.apache.org/security-6.html
www.debian.org/security/2008/dsa-1447
www.mandriva.com/security/advisories?name=MDKSA-2007:241
www.redhat.com/support/errata/RHSA-2007-0871.html
www.securityfocus.com/archive/1/476448/100/0/threaded
www.securityfocus.com/archive/1/500396/100/0/threaded
www.securityfocus.com/archive/1/500412/100/0/threaded
www.securityfocus.com/bid/25314
www.vupen.com/english/advisories/2007/2880
www.vupen.com/english/advisories/2007/3386
www.vupen.com/english/advisories/2007/3527
www.vupen.com/english/advisories/2009/0233
exchange.xforce.ibmcloud.com/vulnerabilities/36001
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10077
www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html