Moderate severityNVD Advisory· Published Jun 4, 2008· Updated Jun 16, 2026
CVE-2008-1947
CVE-2008-1947
Description
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 5.5.9, < 5.5.27 | 5.5.27 |
org.apache.tomcat:tomcatMaven | >= 6.0.0, < 6.0.18 | 6.0.18 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 5.5.9, < 5.5.27 | 5.5.27 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 6.0.0, < 6.0.18 | 6.0.18 |
Affected products
37cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
- ghsa-coords2 versions
>= 5.5.9, < 5.5.27+ 1 more
- (no CPE)range: >= 5.5.9, < 5.5.27
- (no CPE)range: >= 5.5.9, < 5.5.27
Patches
Vulnerability mechanics
References
71- secunia.com/advisories/30500nvdVendor Advisory
- secunia.com/advisories/30592nvdVendor Advisory
- github.com/advisories/GHSA-f98p-9pp6-7q6cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-1947ghsaADVISORY
- lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlnvdWEB
- marc.infonvdWEB
- marc.infonvdWEB
- marc.infonvdWEB
- support.apple.com/kb/HT3216nvdWEB
- support.avaya.com/elmodocs2/security/ASA-2008-401.htmnvdWEB
- tomcat.apache.org/security-5.htmlnvdWEB
- tomcat.apache.org/security-6.htmlnvdWEB
- www.debian.org/security/2008/dsa-1593nvdWEB
- www.mandriva.com/security/advisoriesnvdWEB
- www.redhat.com/support/errata/RHSA-2008-0648.htmlnvdWEB
- www.redhat.com/support/errata/RHSA-2008-0862.htmlnvdWEB
- www.redhat.com/support/errata/RHSA-2008-0864.htmlnvdWEB
- www.vmware.com/security/advisories/VMSA-2009-0002.htmlnvdWEB
- www.vmware.com/security/advisories/VMSA-2009-0016.htmlnvdWEB
- access.redhat.com/errata/RHSA-2008:0648ghsaWEB
- access.redhat.com/errata/RHSA-2008:0862ghsaWEB
- access.redhat.com/errata/RHSA-2008:0864ghsaWEB
- access.redhat.com/errata/RHSA-2008:1007ghsaWEB
- access.redhat.com/security/cve/CVE-2008-1947ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/42816nvdWEB
- github.com/apache/tomcat/commit/49c71fc59c1b8f8da77aea9eb53e61db168aebabghsaWEB
- github.com/apache/tomcat/commit/5f00d434c8dc11bd49ce0b4b56fe889839056030ghsaWEB
- github.com/apache/tomcat/commit/78ad0fcbe29c824f1f2e45a4e2716247b033250aghsaWEB
- github.com/apache/tomcat/commit/ab6a6c41ac972c845717c9d639f0335865afab4dghsaWEB
- lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlghsaWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534nvdWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009nvdWEB
- web.archive.org/web/20200514224656/http://www.securityfocus.com/archive/1/507985/100/0/threadedghsaWEB
- web.archive.org/web/20201208011750/http://www.securityfocus.com/archive/1/492958/100/0/threadedghsaWEB
- www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.htmlnvdWEB
- secunia.com/advisories/30967nvd
- secunia.com/advisories/31639nvd
- secunia.com/advisories/31865nvd
- secunia.com/advisories/31891nvd
- secunia.com/advisories/32120nvd
- secunia.com/advisories/32222nvd
- secunia.com/advisories/32266nvd
- secunia.com/advisories/33797nvd
- secunia.com/advisories/33999nvd
- secunia.com/advisories/34013nvd
- secunia.com/advisories/37460nvd
- secunia.com/advisories/57126nvd
- www.securityfocus.com/archive/1/492958/100/0/threadednvd
- www.securityfocus.com/archive/1/507985/100/0/threadednvd
- www.securityfocus.com/bid/29502nvd
- www.securityfocus.com/bid/31681nvd
- www.securitytracker.com/idnvd
- www.vupen.com/english/advisories/2008/1725nvd
- www.vupen.com/english/advisories/2008/2780nvd
- www.vupen.com/english/advisories/2008/2823nvd
- www.vupen.com/english/advisories/2009/0320nvd
- www.vupen.com/english/advisories/2009/0503nvd
- www.vupen.com/english/advisories/2009/3316nvd
News mentions
0No linked articles in our index yet.