CVE-2021-37573
Description
A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- TJWS/Java Web Server and Servlet Containerdescription
Patches
Vulnerability mechanics
Root cause
"Improper input validation allows attacker-controlled data to be reflected unescaped into the HTTP 404 error page."
Attack vector
An attacker sends a crafted GET request to the TJWS server where the requested path contains HTML/JavaScript payload (e.g., `/te<img src=x onerror=alert(42)>st`). The server reflects the unvalidated input directly into the "404 Page not Found" error page. When a victim's browser renders this response, the injected JavaScript executes in the context of the server's origin [ref_id=1]. No authentication or special network position is required; any client that can reach the web server can be targeted.
Affected code
The advisory does not specify exact file or function names. The vulnerability lies in the HTTP 404 error-page handler of TJWS versions <= 1.115 [ref_id=1]. The server's error-page generation logic fails to sanitize the requested URI before embedding it in the HTML response body.
What the fix does
The advisory states the issue was fixed in version 1.116 [ref_id=1]. No patch diff is included in the bundle, but the fix presumably involves HTML-encoding or sanitizing user-supplied input before reflecting it in the 404 error page. Users should upgrade to TJWS 1.116 or later to close the vulnerability.
Preconditions
- networkThe attacker must be able to send HTTP requests to the TJWS server
- authNo authentication required
- inputThe victim must use a browser that renders HTML (i.e., does not treat the response as plain text)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/163825/Tiny-Java-Web-Server-1.115-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2021/Aug/13mitremailing-listx_refsource_FULLDISC
- www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.