Moderate severityNVD Advisory· Published Nov 26, 2010· Updated Apr 29, 2026

CVE-2010-4172

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerabilities in Apache Tomcat Manager application allow remote attackers to inject arbitrary web script or HTML via sort parameters and other inputs.

Vulnerability

The Manager application in Apache Tomcat versions 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 contains multiple cross-site scripting (XSS) flaws. The orderBy and sort parameters in sessionsList.jsp are not properly sanitized, and unspecified input in sessionDetail.jsp and java/org/apache/catalina/manager/JspHelper.java is also vulnerable, allowing injection of arbitrary web script or HTML. [1][2][3]

Exploitation

An attacker can send crafted HTTP requests to the Manager application with malicious script embedded in the orderBy or sort parameters, or via other unsanitized inputs. No authentication is explicitly required in the description, though the Manager typically requires a role; however, the vulnerability can be exploited remotely by any attacker able to reach the affected pages. [1][2]

Impact

Successful exploitation enables arbitrary web script or HTML injection in the context of the Manager application, potentially leading to session hijacking, defacement, or phishing attacks against users of the Manager interface. [1][2]

Mitigation

Fixed in Apache Tomcat 6.0.30 and 7.0.5. [1][3] Users should upgrade to these versions or later. Both Tomcat 6.0.x and 7.0.x have reached end of life; users are advised to upgrade to Tomcat 9.0.x or later to receive ongoing security fixes. [1][2][3] No workaround is documented in the available references.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat:tomcatMaven	>= 7.0.0, < 7.0.5	7.0.5
org.apache.tomcat:tomcatMaven	>= 6.0.12, <= 6.0.29	—

Affected products

Apache/Tomcat21 versions
cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- (no CPE)range: 6.0.12-6.0.29, 7.0.0-7.0.4
ghsa-coords
pkg:maven/org.apache.tomcat/tomcat
Range: >= 7.0.0, < 7.0.5

Patches

5971f9392edc

Fix CVE-2010-4172. Multiple XSS in Manager web application

https://github.com/apache/tomcatMark Emlyn David ThomasNov 22, 2010via ghsa

commit

4 files changed · +19 −17

java/org/apache/catalina/manager/JspHelper.java+1 −1 modified

@@ -54,7 +54,7 @@ public static String guessDisplayLocaleFromSession(Session in_session) {
     }
     private static String localeToString(Locale locale) {
         if (locale != null) {
-            return locale.toString();//locale.getDisplayName();
+            return escapeXml(locale.toString());//locale.getDisplayName();
         } else {
             return "";
         }

webapps/docs/changelog.xml+3 −0 modified

@@ -295,6 +295,9 @@
         <bug>50310</bug>: Fix display of Servlet information in Manager
         application. (markt)
       </fix>
+      <fix>
+        CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">

webapps/manager/WEB-INF/jsp/sessionDetail.jsp+6 −7 modified

@@ -33,10 +33,10 @@
    ContextName cn = new ContextName(path, version);
    Session currentSession = (Session)request.getAttribute("currentSession");
    HttpSession currentHttpSession = currentSession.getSession();
-   String currentSessionId = currentSession.getId();
-   String submitUrl = response.encodeURL(((HttpServletRequest)
-           pageContext.getRequest()).getRequestURI() + "?path=" + path +
-           "&version=" + version);
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path + "&version=" + version));
 %>
 <head>
     <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -50,7 +50,7 @@
     <title>Sessions Administration: details for <%= currentSessionId %></title>
 </head>
 <body>
-<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
 
 <table style="text-align: left;" border="0">
   <tr>
@@ -142,7 +142,7 @@
                     <div>
                         <input type="hidden" name="action" value="removeSessionAttribute" />
                         <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
-                        <input type="hidden" name="attributeName" value="<%= attributeName %>" />
+                        <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
                         <%
                           if ("Primary".equals(request.getParameter("sessionType"))) {
                         %>
@@ -165,7 +165,6 @@
 
 <form method="post" action="<%=submitUrl%>">
   <p style="text-align: center;">
-    <input type="hidden" name="path" value="<%= path %>" />
     <input type="submit" value="Return to session list" />
   </p>
 </form>

webapps/manager/WEB-INF/jsp/sessionsList.jsp+9 −9 modified

@@ -31,9 +31,9 @@
 <% String path = (String) request.getAttribute("path");
    String version = (String) request.getAttribute("version");
    ContextName cn = new ContextName(path, version);
-   String submitUrl = response.encodeURL(((HttpServletRequest)
-           pageContext.getRequest()).getRequestURI() + "?path=" + path +
-           "&version=" + version);
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path + "&version=" + version));
    Collection activeSessions = (Collection) request.getAttribute("activeSessions");
 %>
 <head>
@@ -45,10 +45,10 @@
     <meta name="author" content="Cedrik LIME"/>
     <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
     <meta name="robots" content="noindex,nofollow,noarchive"/>
-    <title>Sessions Administration for <%= cn.getDisplayName() %></title>
+    <title>Sessions Administration for <%= JspHelper.escapeXml(cn.getDisplayName()) %></title>
 </head>
 <body>
-<h1>Sessions Administration for <%= cn.getDisplayName() %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(cn.getDisplayName()) %></h1>
 
 <p>Tips:</p>
 <ul>
@@ -62,13 +62,13 @@
 <form action="<%= submitUrl %>" method="post" id="sessionsForm">
     <fieldset><legend>Active HttpSessions informations</legend>
         <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
-        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
         <% String order = (String) request.getAttribute("order");
            if (order == null || "".equals(order)) {
                order = "ASC";
            }
         %>
-        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
         <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
         <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
         <table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -104,7 +104,7 @@
 <% Iterator iter = activeSessions.iterator();
    while (iter.hasNext()) {
        Session currentSession = (Session) iter.next();
-       String currentSessionId = currentSession.getId();
+       String currentSessionId = JspHelper.escapeXml(currentSession.getId());
        String type;
        if (currentSession instanceof DeltaSession) {
            if (((DeltaSession) currentSession).isPrimarySession()) {
@@ -125,7 +125,7 @@
                             out.print(currentSessionId);
                         } else {
                       %>
-                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
+                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= currentSessionId %></a>
                       <%
                         }
                       %>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

tomcat.apache.org/security-7.htmlnvdPatchVendor Advisory
www.securityfocus.com/bid/45015nvdExploit
secunia.com/advisories/42337nvdVendor Advisory
www.vupen.com/english/advisories/2010/3047nvdVendor Advisory
github.com/advisories/GHSA-c78g-qwpw-2jgvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2010-4172ghsaADVISORY
bugzilla.redhat.com/show_bug.cginvdWEB
github.com/apache/tomcat/commit/5971f9392edc6d70808b2599b062b050fcd11d23ghsaWEB
lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlghsaWEB
marc.infoghsaWEB
tomcat.apache.org/security-7.htmlghsaWEB
www.redhat.com/support/errata/RHSA-2011-0896.htmlghsaWEB
www.redhat.com/support/errata/RHSA-2011-0897.htmlghsaWEB
www.securityfocus.com/archive/1/514866/100/0/threadedghsaWEB
www.ubuntu.com/usn/USN-1048-1ghsaWEB
www.vupen.com/english/advisories/2010/3047ghsaWEB
www.vupen.com/english/advisories/2011/0203ghsaWEB
archives.neohapsis.com/archives/fulldisclosure/2010-11/0285.htmlnvd
lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlnvd
marc.infonvd
secunia.com/advisories/43019nvd
secunia.com/advisories/45022nvd
secunia.com/advisories/57126nvd
securitytracker.com/idnvd
support.apple.com/kb/HT5002nvd
support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.htmlnvd
svn.apache.org/viewvcnvd
svn.apache.org/viewvcnvd
tomcat.apache.org/security-6.htmlnvd
www.redhat.com/support/errata/RHSA-2011-0791.htmlnvd
www.redhat.com/support/errata/RHSA-2011-0896.htmlnvd
www.redhat.com/support/errata/RHSA-2011-0897.htmlnvd
www.securityfocus.com/archive/1/514866/100/0/threadednvd
www.ubuntu.com/usn/USN-1048-1nvd
www.vupen.com/english/advisories/2011/0203nvd
exchange.xforce.ibmcloud.com/vulnerabilities/63422nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.010
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000