CVE-2007-2449 - 漏洞详情

CVE-2007-2449 (CNNVD-200706-247)

MEDIUM 有利用代码

中文标题:

Apache Tomcat JSP示例Web应用跨站脚本执行漏洞

英文标题:

Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web applica...

CVSS分数: 4.3

发布时间: 2007-06-14 23:00:00

漏洞类型: 其他

状态: PUBLISHED

数据质量分数: 0.40

数据版本: v4

漏洞描述

中文描述:

Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。 Apache Tomcat的示例Web应用程序中的某些JSP文件没有转义某些用户输入，允许远程攻击者通过包含有；字符的特制URI请求执行跨站脚本攻击，向用户浏览器会话注入并执行任意Web脚本或HTML代码。

英文描述:

Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.

CWE类型:

（暂无数据）

受影响产品

厂商	产品	版本	版本范围	平台	CPE
apache	tomcat	*	-	-	`cpe:2.3:a:apache:tomcat::::::::`
apache	tomcat	4.0.0	-	-	`cpe:2.3:a:apache:tomcat:4.0.0:::::::*`
apache	tomcat	4.0.1	-	-	`cpe:2.3:a:apache:tomcat:4.0.1:::::::*`
apache	tomcat	4.0.2	-	-	`cpe:2.3:a:apache:tomcat:4.0.2:::::::*`
apache	tomcat	4.0.3	-	-	`cpe:2.3:a:apache:tomcat:4.0.3:::::::*`
apache	tomcat	4.0.4	-	-	`cpe:2.3:a:apache:tomcat:4.0.4:::::::*`
apache	tomcat	4.0.5	-	-	`cpe:2.3:a:apache:tomcat:4.0.5:::::::*`
apache	tomcat	5.0.0	-	-	`cpe:2.3:a:apache:tomcat:5.0.0:::::::*`
apache	tomcat	5.0.1	-	-	`cpe:2.3:a:apache:tomcat:5.0.1:::::::*`
apache	tomcat	5.0.2	-	-	`cpe:2.3:a:apache:tomcat:5.0.2:::::::*`
apache	tomcat	5.0.3	-	-	`cpe:2.3:a:apache:tomcat:5.0.3:::::::*`
apache	tomcat	5.0.4	-	-	`cpe:2.3:a:apache:tomcat:5.0.4:::::::*`
apache	tomcat	5.0.5	-	-	`cpe:2.3:a:apache:tomcat:5.0.5:::::::*`
apache	tomcat	5.0.6	-	-	`cpe:2.3:a:apache:tomcat:5.0.6:::::::*`
apache	tomcat	5.0.7	-	-	`cpe:2.3:a:apache:tomcat:5.0.7:::::::*`
apache	tomcat	5.0.8	-	-	`cpe:2.3:a:apache:tomcat:5.0.8:::::::*`
apache	tomcat	5.0.9	-	-	`cpe:2.3:a:apache:tomcat:5.0.9:::::::*`
apache	tomcat	5.0.10	-	-	`cpe:2.3:a:apache:tomcat:5.0.10:::::::*`
apache	tomcat	5.0.11	-	-	`cpe:2.3:a:apache:tomcat:5.0.11:::::::*`
apache	tomcat	5.0.12	-	-	`cpe:2.3:a:apache:tomcat:5.0.12:::::::*`
apache	tomcat	5.0.13	-	-	`cpe:2.3:a:apache:tomcat:5.0.13:::::::*`
apache	tomcat	5.0.14	-	-	`cpe:2.3:a:apache:tomcat:5.0.14:::::::*`
apache	tomcat	5.0.15	-	-	`cpe:2.3:a:apache:tomcat:5.0.15:::::::*`
apache	tomcat	5.0.16	-	-	`cpe:2.3:a:apache:tomcat:5.0.16:::::::*`
apache	tomcat	5.0.17	-	-	`cpe:2.3:a:apache:tomcat:5.0.17:::::::*`
apache	tomcat	5.0.18	-	-	`cpe:2.3:a:apache:tomcat:5.0.18:::::::*`
apache	tomcat	5.0.19	-	-	`cpe:2.3:a:apache:tomcat:5.0.19:::::::*`
apache	tomcat	5.0.21	-	-	`cpe:2.3:a:apache:tomcat:5.0.21:::::::*`
apache	tomcat	5.0.22	-	-	`cpe:2.3:a:apache:tomcat:5.0.22:::::::*`
apache	tomcat	5.0.23	-	-	`cpe:2.3:a:apache:tomcat:5.0.23:::::::*`
apache	tomcat	5.0.24	-	-	`cpe:2.3:a:apache:tomcat:5.0.24:::::::*`
apache	tomcat	5.0.25	-	-	`cpe:2.3:a:apache:tomcat:5.0.25:::::::*`
apache	tomcat	5.0.26	-	-	`cpe:2.3:a:apache:tomcat:5.0.26:::::::*`
apache	tomcat	5.0.27	-	-	`cpe:2.3:a:apache:tomcat:5.0.27:::::::*`
apache	tomcat	5.0.28	-	-	`cpe:2.3:a:apache:tomcat:5.0.28:::::::*`
apache	tomcat	5.0.29	-	-	`cpe:2.3:a:apache:tomcat:5.0.29:::::::*`
apache	tomcat	5.0.30	-	-	`cpe:2.3:a:apache:tomcat:5.0.30:::::::*`
apache	tomcat	5.5.0	-	-	`cpe:2.3:a:apache:tomcat:5.5.0:::::::*`
apache	tomcat	5.5.1	-	-	`cpe:2.3:a:apache:tomcat:5.5.1:::::::*`
apache	tomcat	5.5.2	-	-	`cpe:2.3:a:apache:tomcat:5.5.2:::::::*`
apache	tomcat	5.5.3	-	-	`cpe:2.3:a:apache:tomcat:5.5.3:::::::*`
apache	tomcat	5.5.4	-	-	`cpe:2.3:a:apache:tomcat:5.5.4:::::::*`
apache	tomcat	5.5.5	-	-	`cpe:2.3:a:apache:tomcat:5.5.5:::::::*`
apache	tomcat	5.5.6	-	-	`cpe:2.3:a:apache:tomcat:5.5.6:::::::*`
apache	tomcat	5.5.7	-	-	`cpe:2.3:a:apache:tomcat:5.5.7:::::::*`
apache	tomcat	5.5.8	-	-	`cpe:2.3:a:apache:tomcat:5.5.8:::::::*`
apache	tomcat	5.5.9	-	-	`cpe:2.3:a:apache:tomcat:5.5.9:::::::*`
apache	tomcat	5.5.10	-	-	`cpe:2.3:a:apache:tomcat:5.5.10:::::::*`
apache	tomcat	5.5.11	-	-	`cpe:2.3:a:apache:tomcat:5.5.11:::::::*`
apache	tomcat	5.5.12	-	-	`cpe:2.3:a:apache:tomcat:5.5.12:::::::*`
apache	tomcat	5.5.13	-	-	`cpe:2.3:a:apache:tomcat:5.5.13:::::::*`
apache	tomcat	5.5.14	-	-	`cpe:2.3:a:apache:tomcat:5.5.14:::::::*`
apache	tomcat	5.5.15	-	-	`cpe:2.3:a:apache:tomcat:5.5.15:::::::*`
apache	tomcat	5.5.16	-	-	`cpe:2.3:a:apache:tomcat:5.5.16:::::::*`
apache	tomcat	5.5.17	-	-	`cpe:2.3:a:apache:tomcat:5.5.17:::::::*`
apache	tomcat	5.5.18	-	-	`cpe:2.3:a:apache:tomcat:5.5.18:::::::*`
apache	tomcat	5.5.19	-	-	`cpe:2.3:a:apache:tomcat:5.5.19:::::::*`
apache	tomcat	5.5.20	-	-	`cpe:2.3:a:apache:tomcat:5.5.20:::::::*`
apache	tomcat	5.5.21	-	-	`cpe:2.3:a:apache:tomcat:5.5.21:::::::*`
apache	tomcat	5.5.22	-	-	`cpe:2.3:a:apache:tomcat:5.5.22:::::::*`
apache	tomcat	6.0.0	-	-	`cpe:2.3:a:apache:tomcat:6.0.0:::::::*`
apache	tomcat	6.0.1	-	-	`cpe:2.3:a:apache:tomcat:6.0.1:::::::*`
apache	tomcat	6.0.2	-	-	`cpe:2.3:a:apache:tomcat:6.0.2:::::::*`
apache	tomcat	6.0.3	-	-	`cpe:2.3:a:apache:tomcat:6.0.3:::::::*`
apache	tomcat	6.0.4	-	-	`cpe:2.3:a:apache:tomcat:6.0.4:::::::*`
apache	tomcat	6.0.5	-	-	`cpe:2.3:a:apache:tomcat:6.0.5:::::::*`
apache	tomcat	6.0.6	-	-	`cpe:2.3:a:apache:tomcat:6.0.6:::::::*`
apache	tomcat	6.0.7	-	-	`cpe:2.3:a:apache:tomcat:6.0.7:::::::*`
apache	tomcat	6.0.8	-	-	`cpe:2.3:a:apache:tomcat:6.0.8:::::::*`
apache	tomcat	6.0.10	-	-	`cpe:2.3:a:apache:tomcat:6.0.10:::::::*`
apache	tomcat	6.0.11	-	-	`cpe:2.3:a:apache:tomcat:6.0.11:::::::*`
apache	tomcat	6.0.12	-	-	`cpe:2.3:a:apache:tomcat:6.0.12:::::::*`
apache	tomcat	6.0.13	-	-	`cpe:2.3:a:apache:tomcat:6.0.13:::::::*`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

RHSA-2008:0630 vendor-advisory
cve.org

访问

ADV-2008-1981 vdb-entry
cve.org

访问

FEDORA-2007-3456 vendor-advisory
cve.org

访问

24476 vdb-entry
cve.org

访问

31493 third-party-advisory
cve.org

访问

20070614 [CVE-2007-2449] Apache Tomcat XSS vulnerabilities in the JSP examples mailing-list
cve.org

访问

2804 third-party-advisory
cve.org

访问

RHSA-2007:0569 vendor-advisory
cve.org

访问

tomcat-example-xss(34869) vdb-entry
cve.org

访问

20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) mailing-list
cve.org

访问

1018245 vdb-entry
cve.org

访问

33668 third-party-advisory
cve.org

访问

29392 third-party-advisory
cve.org

访问

20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities mailing-list
cve.org

访问

SUSE-SR:2008:007 vendor-advisory
cve.org

访问

APPLE-SA-2008-06-30 vendor-advisory
cve.org

访问

ADV-2009-0233 vdb-entry
cve.org

访问

SUSE-SR:2009:004 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

ADV-2007-3386 vdb-entry
cve.org

访问

30802 third-party-advisory
cve.org

访问

27037 third-party-advisory
cve.org

访问

SSRT071447 vendor-advisory
cve.org

访问

27727 third-party-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

RHSA-2008:0261 vendor-advisory
cve.org

访问

36080 vdb-entry
cve.org

访问

oval:org.mitre.oval:def:10578 vdb-entry
cve.org

访问

26076 third-party-advisory
cve.org

访问

ADV-2007-2213 vdb-entry
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

MDKSA-2007:241 vendor-advisory
cve.org

访问

[tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ mailing-list
cve.org

访问

[tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ mailing-list
cve.org

访问

[tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ mailing-list
cve.org

访问

[tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ mailing-list
cve.org

访问

[tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/ mailing-list
cve.org

访问

ExploitDB EDB-30189 EXPLOIT
exploitdb

访问

Download Exploit EDB-30189 EXPLOIT
exploitdb

访问

CVE Reference: CVE-2007-2449 ADVISORY
cve.org

访问

CVSS评分详情

4.3

MEDIUM

CVSS向量: AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS版本: 2.0

机密性

NONE

完整性

PARTIAL

可用性

NONE

时间信息

发布时间:

2007-06-14 23:00:00

修改时间:

2024-08-07 13:42:33

创建时间:

2025-11-11 15:32:43

更新时间:

2026-01-26 02:17:12

利用信息

此漏洞有可利用代码！

利用代码数量: 1

利用来源:

未知

数据源详情

数据源	记录ID	版本	提取时间
CVE	`cve_CVE-2007-2449`	2025-11-11 15:17:52	2025-11-11 07:32:43
NVD	`nvd_CVE-2007-2449`	2025-11-11 14:52:11	2025-11-11 07:41:29
CNNVD	`cnnvd_CNNVD-200706-247`	2025-11-11 15:08:57	2025-11-11 07:49:18
EXPLOITDB	`exploitdb_EDB-30189`	2025-11-11 15:05:24	2025-11-11 08:25:25

版本与语言

当前版本: v4

主要语言: EN

支持语言:

EN ZH

其他标识符:

安全公告

暂无安全公告信息

变更历史

v4 EXPLOITDB

2025-11-11 16:25:25

references_count: 40 → 43; tags_count: 0 → 4; data_sources: ['cnnvd', 'cve', 'nvd'] → ['cnnvd', 'cve', 'exploitdb', 'nvd']

查看详细变更

references_count: 40 -> 43
tags_count: 0 -> 4
data_sources: ['cnnvd', 'cve', 'nvd'] -> ['cnnvd', 'cve', 'exploitdb', 'nvd']

v3 CNNVD

2025-11-11 15:49:18

vulnerability_type: 未提取 → 其他; cnnvd_id: 未提取 → CNNVD-200706-247; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']

查看详细变更

vulnerability_type: 未提取 -> 其他
cnnvd_id: 未提取 -> CNNVD-200706-247
data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']

v2 NVD

2025-11-11 15:41:29

cvss_score: 未提取 → 4.3; cvss_vector: NOT_EXTRACTED → AV:N/AC:M/Au:N/C:N/I:P/A:N; cvss_version: NOT_EXTRACTED → 2.0; affected_products_count: 0 → 73; references_count: 41 → 40; data_sources: ['cve'] → ['cve', 'nvd']

查看详细变更

cvss_score: 未提取 -> 4.3
cvss_vector: NOT_EXTRACTED -> AV:N/AC:M/Au:N/C:N/I:P/A:N
cvss_version: NOT_EXTRACTED -> 2.0
affected_products_count: 0 -> 73
references_count: 41 -> 40
data_sources: ['cve'] -> ['cve', 'nvd']

CVE-2007-2449 (CNNVD-200706-247)

中文标题:

Apache Tomcat JSP示例Web应用跨站脚本执行漏洞

英文标题:

Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web applica...

漏洞描述

中文描述:

英文描述:

CWE类型:

标签:

受影响产品

解决方案

中文解决方案:

英文解决方案:

临时解决方案:

参考链接

CVSS评分详情

时间信息

利用信息

数据源详情

版本与语言

安全公告

变更历史