VYPR
← All advisories
Moderate severityNVD Advisory· Published May 21, 2007· Updated Apr 23, 2026

CVE-2007-1355

CVE-2007-1355

Description

Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple XSS vulnerabilities in the Apache Tomcat hello.jsp example application allow remote attackers to inject arbitrary web script or HTML via the test parameter.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the appdev/sample/web/hello.jsp example application shipped with Apache Tomcat. The flaw is present in versions 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 [1][2][3]. The vulnerability can be triggered via the test parameter and other unspecified vectors.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript or HTML in the test parameter of the hello.jsp page. The request is sent to a vulnerable Tomcat server, and because the example application does not properly sanitize user input, the injected script is rendered in the victim's browser when they access the crafted link. No authentication is required, and the attacker only needs to trick a user into visiting the malicious URL (e.g., via phishing or embedding the link on another site) [1][2][3].

Impact

Successful exploitation allows a remote attacker to execute arbitrary web script or HTML in the context of the victim's browser session, within the domain of the affected Tomcat server. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability impacts confidentiality and integrity of user data exposed through the browser, but does not directly affect the server-side application or data [3].

Mitigation

Apache Tomcat has reached end-of-life for many of the affected branches, including 4.x, 5.0.x, 5.5.x, and 6.0.x, and no patches will be provided [1][2]. Users are strongly advised to remove or disable the hello.jsp example application from production deployments. For still-supported branches (none at this time), upgrading to a fixed version (e.g., 5.5.26 or later, 6.0.11 or later) would resolve the issue [1][2][3]. As a general best practice, example applications should not be deployed in production environments.

References
  1. Apache Tomcat® - Apache Tomcat 6 vulnerabilities
  2. Apache Tomcat® - Apache Tomcat 5 vulnerabilities
  3. NVD - CVE-2007-1355

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:jsp-apiMaven
>= 4.1.0, < 4.1.374.1.37
org.apache.tomcat:jsp-apiMaven
>= 5.5.0, < 5.5.245.5.24
org.apache.tomcat:jsp-apiMaven
>= 6.0.0, < 6.0.116.0.11
org.apache.tomcat:jsp-apiMaven
>= 5.0.0, <= 5.0.30
org.apache.tomcat:jsp-apiMaven
>= 4.0.0, <= 4.0.6
org.apache.tomcat:servlet-apiMaven
>= 4.1.0, < 4.1.374.1.37
org.apache.tomcat:servlet-apiMaven
>= 5.5.0, < 5.5.245.5.24
org.apache.tomcat:servlet-apiMaven
>= 6.0.0, < 6.0.116.0.11
org.apache.tomcat:servlet-apiMaven
>= 5.0.0, <= 5.0.30
org.apache.tomcat:servlet-apiMaven
>= 4.0.0, <= 4.0.6

Affected products

54
  • Apache/Tomcat52 versions
    cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*+ 51 more
    • cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
  • ghsa-coords2 versions
    pkg:maven/org.apache.tomcat/jsp-apipkg:maven/org.apache.tomcat/servlet-api
    >= 4.1.0, < 4.1.37+ 1 more
    • (no CPE)range: >= 4.1.0, < 4.1.37
    • (no CPE)range: >= 4.1.0, < 4.1.37

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

39

News mentions

0

No linked articles in our index yet.