Versions of Tomcat 5.x earlier than 5.5.32 are potentially affected by a cross-site scripting vulnerability because the HTML Manager interface displays web application provided data, such as display names, without filtering.
Binary data 800600.prm
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013
tomcat.apache.org/security-5.html