Versions of Tomcat 7.0.x earlier than 7.0.6 are potentially affected by a cross-site scripting vulnerability because the HTML Manager interface display web application provided data, such as display names, without filtering.
Binary data 800596.prm
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013
tomcat.apache.org/security-7.html