CVE-2018-8031 – org.apache.tomee:tomee-webapp

Package

Manager: maven
Name: org.apache.tomee:tomee-webapp
Vulnerable Version: >=0 <7.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02255 pctl0.83984

Details

Apache TomEE console vulnerable to Cross-site Scripting The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolved in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863.

Metadata

Created: 2022-05-14T01:30:10Z
Modified: 2022-11-08T12:31:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fg44-w3fr-hgxv/GHSA-fg44-w3fr-hgxv.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-fg44-w3fr-hgxv
Finding: F008
Auto approve: 1