CVE-2018-8031
Description
Apache TomEE console (tomee-webapp) is vulnerable to reflected XSS via crafted URL, allowing attacker to execute arbitrary JavaScript in the user's browser when clicking a malicious link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache TomEE console (tomee-webapp) is vulnerable to reflected XSS via crafted URL, allowing attacker to execute arbitrary JavaScript in the user's browser when clicking a malicious link.
Vulnerability
The Apache TomEE console (tomee-webapp) suffers from a reflected cross-site scripting (XSS) vulnerability. The application constructs a provider link using window.location.href without proper encoding, allowing an attacker to inject arbitrary JavaScript into the page via a malicious URL [1]. The vulnerable code is located in the JavaScript that sets the href and html attributes of the provider link element. Affected versions include all versions prior to Apache TomEE 7.0.5. The issue was fixed in commit b8bbf50c23ce97dd64f3a5d77f78f84e47579863 [3].
Exploitation
An attacker can craft a URL containing a JavaScript payload in the fragment or query string. If a user who is logged into the TomEE console clicks the malicious link, the console's JavaScript will append the entire URL (including the payload) to the provider link's href and html properties, causing the browser to execute the injected script. No authentication is needed to trigger the XSS, but the victim must be authenticated to the console session for useful impact.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the authenticated user's session. This can lead to session cookie theft, page content manipulation, or redirection to malicious sites. Since the console often has administrative privileges, the attacker may be able to perform actions on the TomEE server as the victim, potentially compromising the entire application server.
Mitigation
The vulnerability is fixed in Apache TomEE 7.0.5 [1]. Users should upgrade to this version or later. If upgrading is not immediately possible, administrators can remove the tomee-webapp application after initial setup or use one of the pre-configured TomEE bundles that do not include this web application [1]. No workaround within the application itself is available.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomee:tomee-webappMaven | < 7.0.5 | 7.0.5 |
Affected products
2- Apache Software Foundation/Apache TomEEv5Range: < 7.0.5
Patches
1b8bbf50c23cebetter handle retrieving provider location
1 file changed · +1 −1
tomee/tomee-webapp/src/main/webapp/app.js+1 −1 modified@@ -62,7 +62,7 @@ $(function () { $('.ux-server-ready-panel').removeClass('ux-hidden'); var providerLink = $($('.ux-provider-url').get(0)); providerLink.attr('href', window.location.href + 'ejb'); - providerLink.html(window.location.href + 'ejb'); + providerLink.html(window.location.origin + window.location.pathname + 'ejb'); } else if (systemStatus.status === 'REBOOT_REQUIRED') { $('.ux-installer-reboot-panel').removeClass('ux-hidden'); } else {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fg44-w3fr-hgxvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8031ghsaADVISORY
- github.com/apache/tomee/commit/b8bbf50c23ce97dd64f3a5d77f78f84e47579863ghsaWEB
- lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d@%3Cdev.tomee.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.