Apache Tomcat is vulnerable to cross-site request forgery (CSRF). The authenticity of requests are not verified on the server, which allows a remote attacker to perform unauthorized actions on the application by tricking a user into visiting a malicious site that submits unwanted request to the application on behalf of the user.