Moderate severityNVD Advisory· Published Feb 19, 2011· Updated Apr 29, 2026

CVE-2011-0013

Description

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerabilities in Apache Tomcat Manager interface allow remote attackers to inject arbitrary web script or HTML via crafted parameters.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the HTML Manager Interface of Apache Tomcat. These affect versions 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 [2][3][4]. The vulnerability can be triggered via the display-name tag, where unsanitized input is reflected back in the HTML response [1].

Exploitation

An attacker can exploit these XSS flaws by crafting a malicious URL or parameter that, when processed by the Manager application, injects arbitrary JavaScript. No authentication is required to send the malicious request; however, the attack relies on a victim who is logged into the Manager application to inadvertently visit the crafted URL, causing the script to execute in the context of the victim's session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser within the security context of the Manager application. This can lead to session hijacking, defacement, or theft of sensitive information, potentially giving the attacker the same privileges as the logged-in Manager user [1].

Mitigation

Upgrade to fixed versions: Tomcat 5.5.32, 6.0.30, or 7.0.6, which were released on February 19, 2011 [2][3][4]. Users running unsupported branches (e.g., 5.5.x and 6.0.x have reached end of life) should upgrade to a supported release such as 9.0.x to obtain security fixes [2][3]. No workarounds are documented in the available references.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat:tomcatMaven	>= 5.5.0, < 5.5.32	5.5.32
org.apache.tomcat:tomcatMaven	>= 6.0.0, < 6.0.30	6.0.30
org.apache.tomcat:tomcatMaven	>= 7.0.0, < 7.0.6	7.0.6

Affected products

Apache/Tomcat66 versions
cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*+ 65 more
- cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- (no CPE)range: <5.5.32, >=6.0 <6.0.30, >=7.0 <7.0.6
ghsa-coords
pkg:maven/org.apache.tomcat/tomcat
Range: >= 5.5.0, < 5.5.32

Patches

863d77c7d321

Improve filtering

https://github.com/apache/tomcat55Konstantin KolinkoJan 11, 2011via ghsa

commit

3 files changed · +21 −17

container/webapps/docs/changelog.xml+3 −0 modified

@@ -106,6 +106,9 @@
       <update>
         Improve documentation of database connection factory. (rjung)
       </update>
+      <fix>
+        Improve filtering of Manager display output. (kkolinko) 
+      </fix>
     </changelog>
   </subsection>
 </section>

container/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java+14 −13 modified

@@ -370,15 +370,16 @@ public void list(HttpServletRequest request,
                 }
                 
                 args = new Object[6];
-                args[0] = displayPath;
-                args[1] = context.getDisplayName();
-                if (args[1] == null) {
+                args[0] = RequestUtil.filter(displayPath);
+                if (context.getDisplayName() == null) {
                     args[1] = "&nbsp;";
+                } else {
+                    args[1] = RequestUtil.filter(context.getDisplayName());
                 }
                 args[2] = new Boolean(context.getAvailable());
-                args[3] = response.encodeURL
+                args[3] = RequestUtil.filter(response.encodeURL
                     (request.getContextPath() +
-                     "/html/sessions?path=" + displayPath);
+                     "/html/sessions?path=" + displayPath));
                 if (context.getManager() != null) {
                     args[4] = new Integer
                         (context.getManager().getActiveSessions());
@@ -392,21 +393,21 @@ public void list(HttpServletRequest request,
                     (MessageFormat.format(APPS_ROW_DETAILS_SECTION, args));
 
                 args = new Object[9];
-                args[0] = response.encodeURL
+                args[0] = RequestUtil.filter(response.encodeURL
                     (request.getContextPath() +
-                     "/html/start?path=" + displayPath);
+                     "/html/start?path=" + displayPath));
                 args[1] = appsStart;
-                args[2] = response.encodeURL
+                args[2] = RequestUtil.filter(response.encodeURL
                     (request.getContextPath() +
-                     "/html/stop?path=" + displayPath);
+                     "/html/stop?path=" + displayPath));
                 args[3] = appsStop;
-                args[4] = response.encodeURL
+                args[4] = RequestUtil.filter(response.encodeURL
                     (request.getContextPath() +
-                     "/html/reload?path=" + displayPath);
+                     "/html/reload?path=" + displayPath));
                 args[5] = appsReload;
-                args[6] = response.encodeURL
+                args[6] = RequestUtil.filter(response.encodeURL
                     (request.getContextPath() +
-                     "/html/undeploy?path=" + displayPath);
+                     "/html/undeploy?path=" + displayPath));
                 args[7] = appsUndeploy;
                 
                 args[8] = highlightColor;

container/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/StatusTransformer.java+4 −4 modified

@@ -581,7 +581,7 @@ public static void writeDetailedState(PrintWriter writer,
                 }
 
                 writer.print("<a href=\"#" + (count++) + ".0\">");
-                writer.print(webModuleName);
+                writer.print(filter(webModuleName));
                 writer.print("</a>");
                 if (iterator.hasNext()) {
                     writer.print("<br>");
@@ -656,7 +656,7 @@ protected static void writeContext(PrintWriter writer,
             }
 
             writer.print("<h1>");
-            writer.print(name);
+            writer.print(filter(name));
             writer.print("</h1>");
             writer.print("</a>");
 
@@ -784,11 +784,11 @@ public static void writeWrapper(PrintWriter writer, ObjectName objectName,
                 mBeanServer.invoke(objectName, "findMappings", null, null);
             
             writer.print("<h2>");
-            writer.print(servletName);
+            writer.print(filter(servletName));
             if ((mappings != null) && (mappings.length > 0)) {
                 writer.print(" [ ");
                 for (int i = 0; i < mappings.length; i++) {
-                    writer.print(mappings[i]);
+                    writer.print(filter(mappings[i]));
                     if (i < mappings.length - 1) {
                         writer.print(" , ");
                     }

58223c5ecc07

Prevent XSS in Manager application

https://github.com/apache/tomcatMark Emlyn David ThomasJan 10, 2011via ghsa

commit

3 files changed · +28 −23

java/org/apache/catalina/manager/HTMLManagerServlet.java+21 −19 modified

@@ -523,19 +523,21 @@ protected void list(HttpServletRequest request,
                 }
                 
                 args = new Object[7];
-                args[0] = "<a href=\"" + URL_ENCODER.encode(displayPath) +
-                        "\">" + displayPath + "</a>";
-                args[1] = ctxt.getWebappVersion();
-                if ("".equals(args[1])) {
-                    args[1]= noVersion;
+                args[0] = "<a href=\"" + URL_ENCODER.encode(displayPath)
+                        + "\">" + RequestUtil.filter(displayPath) + "</a>";
+                if ("".equals(ctxt.getWebappVersion())) {
+                    args[1] = noVersion;
+                } else {
+                    args[1] = RequestUtil.filter(ctxt.getWebappVersion());
                 }
-                args[2] = ctxt.getDisplayName();
-                if (args[2] == null) {
+                if (ctxt.getDisplayName() == null) {
                     args[2] = "&nbsp;";
+                } else {
+                    args[2] = RequestUtil.filter(ctxt.getDisplayName());
                 }
                 args[3] = Boolean.valueOf(ctxt.getAvailable());
-                args[4] = response.encodeURL(request.getContextPath() +
-                     "/html/sessions?" + pathVersion);
+                args[4] = RequestUtil.filter(response.encodeURL(request.getContextPath() +
+                     "/html/sessions?" + pathVersion));
                 Manager manager = ctxt.getManager(); 
                 if (manager instanceof DistributedManager && showProxySessions) {
                     args[5] = Integer.valueOf(
@@ -552,20 +554,20 @@ protected void list(HttpServletRequest request,
                     (MessageFormat.format(APPS_ROW_DETAILS_SECTION, args));
 
                 args = new Object[14];
-                args[0] = response.encodeURL(request.getContextPath() +
-                        "/html/start?" + pathVersion);
+                args[0] = RequestUtil.filter(response.encodeURL(request
+                        .getContextPath() + "/html/start?" + pathVersion));
                 args[1] = appsStart;
-                args[2] = response.encodeURL(request.getContextPath() +
-                        "/html/stop?" + pathVersion);
+                args[2] = RequestUtil.filter(response.encodeURL(request
+                        .getContextPath() + "/html/stop?" + pathVersion));
                 args[3] = appsStop;
-                args[4] = response.encodeURL(request.getContextPath() +
-                     "/html/reload?" + pathVersion);
+                args[4] = RequestUtil.filter(response.encodeURL(request
+                        .getContextPath() + "/html/reload?" + pathVersion));
                 args[5] = appsReload;
-                args[6] = response.encodeURL(request.getContextPath() +
-                     "/html/undeploy?" + pathVersion);
+                args[6] = RequestUtil.filter(response.encodeURL(request
+                        .getContextPath() + "/html/undeploy?" + pathVersion));
                 args[7] = appsUndeploy;
-                args[8] = response.encodeURL(request.getContextPath() +
-                     "/html/expire?" + pathVersion);
+                args[8] = RequestUtil.filter(response.encodeURL(request
+                        .getContextPath() + "/html/expire?" + pathVersion));
                 args[9] = appsExpire;
                 args[10] = smClient.getString(
                         "htmlManagerServlet.expire.explain");

java/org/apache/catalina/manager/StatusTransformer.java+4 −4 modified

@@ -572,7 +572,7 @@ public static void writeDetailedState(PrintWriter writer,
                 }
 
                 writer.print("<a href=\"#" + (count++) + ".0\">");
-                writer.print(webModuleName);
+                writer.print(filter(webModuleName));
                 writer.print("</a>");
                 if (iterator.hasNext()) {
                     writer.print("<br>");
@@ -649,7 +649,7 @@ protected static void writeContext(PrintWriter writer,
             }
 
             writer.print("<h1>");
-            writer.print(name);
+            writer.print(filter(name));
             writer.print("</h1>");
             writer.print("</a>");
 
@@ -778,11 +778,11 @@ public static void writeWrapper(PrintWriter writer, ObjectName objectName,
                 mBeanServer.invoke(objectName, "findMappings", null, null);
             
             writer.print("<h2>");
-            writer.print(servletName);
+            writer.print(filter(servletName));
             if ((mappings != null) && (mappings.length > 0)) {
                 writer.print(" [ ");
                 for (int i = 0; i < mappings.length; i++) {
-                    writer.print(mappings[i]);
+                    writer.print(filter(mappings[i]));
                     if (i < mappings.length - 1) {
                         writer.print(" , ");
                     }

webapps/docs/changelog.xml+3 −0 modified

@@ -314,6 +314,9 @@
         <bug>50488</bug>: Update classpath required when using jsvc and add a
         note regarding server VMs. (markt)
       </fix>
+      <fix>
+        Further filtering of Manager and Host Manager display output. (kkolinko) 
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.021
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000