VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 4, 2008· Updated Apr 23, 2026

CVE-2008-1232

CVE-2008-1232

Description

Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat versions 4.1.0–4.1.37, 5.5.0–5.5.26, and 6.0.0–6.0.16 are vulnerable to cross-site scripting (XSS) via crafted strings in the message argument to HttpServletResponse.sendError.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 [1][2][3]. The flaw is located in the HttpServletResponse.sendError method, where a crafted string supplied as the message argument is not properly sanitized before being included in the HTTP response body [1][2]. This allows an attacker to inject arbitrary web script or HTML that will be executed in the context of the victim's browser [2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request to a vulnerable Tomcat server that causes the sendError method to be called with a malicious message parameter [2]. The attacker does not need prior authentication or special privileges; the attack can be performed remotely over HTTP [1][2]. No user interaction is required beyond the victim's browser rendering the crafted error page [1][2].

Impact

Successful exploitation allows a remote attacker to inject arbitrary web script or HTML into the error page generated by Tomcat [1][2]. The injected script executes in the security context of the vulnerable web application domain, potentially enabling session hijacking, cookie theft, or other client-side attacks [2]. The attacker gains no direct access to the server itself, but can compromise the interactions of legitimate users with the affected application [1][2].

Mitigation

Users should upgrade to a patched version: Tomcat 4.1.x users should upgrade to 4.1.38 or later, Tomcat 5.5.x users to 5.5.27 or later, and Tomcat 6.0.x users to 6.0.17 or later [1][3]. Red Hat Enterprise Linux users can apply the fix via RHSA-2008:0648 [4]. Note that Tomcat 6.0.x has reached end of life, and no further security updates for that branch will be provided; users are strongly advised to migrate to a supported release (9.0.x or later) [1]. For Tomcat 5.x branches, which are also unsupported, an upgrade to a current release is recommended [3].

References
  1. Apache Tomcat® - Apache Tomcat 6 vulnerabilities
  2. NVD - CVE-2008-1232
  3. Apache Tomcat® - Apache Tomcat 5 vulnerabilities
  4. https://access.redhat.com/errata/RHSA-2008:0648

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 4.1.0, < 4.1.384.1.38
org.apache.tomcat:tomcatMaven
>= 5.5.0, < 5.5.275.5.27
org.apache.tomcat:tomcatMaven
>= 6.0.0, < 6.0.176.0.17

Affected products

3
  • Apache/Tomcat2 versions
    cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*range: >=4.1.0,<=4.1.37
    • (no CPE)range: 4.1.0-4.1.37, 5.5.0-5.5.26, 6.0.0-6.0.16
  • ghsa-coords
    pkg:maven/org.apache.tomcat/tomcat
    Range: >= 4.1.0, < 4.1.38

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

81

News mentions

0

No linked articles in our index yet.