2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
0.768 High
EPSS
Percentile
98.2%
Low: Cross-site scripting CVE-2007-1358
Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom headers. When generating the response for getLocale() and getLocales(), Tomcat now ignores values for Accept-Language headers that do not conform to RFC 2616. Applications that use the raw header values directly should not assume that the headers conform to RFC 2616 and should filter the values appropriately.
Affects: 6.0.0-6.0.5
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 6.0.0 | |
apache tomcat | le | 6.0.5 |