CVE-2008-1232: Apache Tomcat Cross-site scripting (XSS) vulnerability
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.97049%
CWE
Published
5/1/2022
Updated
9/22/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.tomcat:tomcat | maven | >= 4.1.0, <= 4.1.37 | 4.1.38 |
org.apache.tomcat:tomcat | maven | >= 5.5.0, <= 5.5.26 | 5.5.27 |
org.apache.tomcat:tomcat | maven | >= 6.0.0, <= 6.0.16 | 6.0.17 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly states the attack vector is the message argument to HttpServletResponse.sendError
. Multiple sources (CVE description, Apache security advisories, and commit references) confirm improper sanitization of this parameter when generating error pages and HTTP headers. The vulnerability manifests when user-controlled input flows into the message parameter without proper escaping, enabling XSS payload delivery through error responses.