CVE-2009-2696

Vulnerability

A cross-site scripting (XSS) vulnerability exists in jsp/cal/cal2.jsp within the calendar application of the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5. This flaw is a missing fix for CVE-2009-0781; the RHSA-2009:1164 erratum for RHEL 5 did not include the patch as stated [2]. The vulnerability allows remote attackers to inject arbitrary web script or HTML via the time parameter due to invalid HTML [1]. Affected versions include all Tomcat installations on Red Hat Enterprise Linux 5 that shipped with the incomplete security update [2].

Exploitation

An attacker can exploit this flaw by sending a crafted HTTP request to the affected cal2.jsp page containing malicious script in the time parameter. No authentication is required, and the attack is within the same origin, requiring no special network position beyond access to the web server hosting the examples application.

Impact

Successful exploitation leads to reflected cross-site scripting (XSS) [1], allowing the attacker to execute arbitrary web script or HTML in the context of the victim's browser. This can result in session theft, credential theft, or other malicious actions performed on behalf of the authenticated user.

Mitigation

Red Hat addressed this regression in RHSA-2010:0580, released on 2010-08-02, which updated Tomcat to properly include the fix for CVE-2009-0781 [1][2]. Users should apply the update via Red Hat Network or by installing the patched packages. No known workarounds are documented; the vulnerable cal2.jsp example application can be removed or disabled if not needed.