XSS in examples web application
Description
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tomcat's form authentication example in the examples web application is vulnerable to reflected XSS due to unescaped user input.
Vulnerability
Description
CVE-2022-34305 is a reflected cross-site scripting (XSS) vulnerability in the Apache Tomcat examples web application, specifically in the form authentication example. The application displays user-provided data without proper filtering or encoding, allowing an attacker to inject arbitrary HTML or JavaScript into the response [1]. This affects Tomcat versions 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64, and 8.5.50 to 8.5.81 [2].
Exploitation
The examples web application is not enabled by default in production deployments, but it is included in the default distribution. If enabled, an attacker can craft a malicious URL that, when visited by a victim, executes the injected script in the context of the Tomcat domain. No authentication is required to access the vulnerable endpoint, and the attack can be performed remotely over HTTP [2].
Impact
Successful exploitation allows an attacker to perform actions on behalf of the victim, such as stealing session cookies, redirecting to phishing sites, or defacing the web page. The severity is rated as low by the Apache Tomcat security team, but the impact depends on the context of the application and the privileges of the victim [2].
Mitigation
Apache has released fixed versions: 10.1.0-M17, 10.0.23, 9.0.65, and 8.5.82. Users are advised to upgrade to these versions or, as a workaround, remove the examples web application from the deployment [1][2]. Gentoo Linux also provides updated packages in its GLSA 202208-34 advisory [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.0-M17 | 10.1.0-M17 |
org.apache.tomcat:tomcatMaven | >= 10.0.0-M1, < 10.0.22 | 10.0.22 |
org.apache.tomcat:tomcatMaven | >= 9.0.30, < 9.0.65 | 9.0.65 |
org.apache.tomcat:tomcatMaven | >= 8.5.50, < 8.5.82 | 8.5.82 |
Affected products
3- osv-coords2 versions
>= 8.5.50, < 8.5.82+ 1 more
- (no CPE)range: >= 8.5.50, < 8.5.82
- (no CPE)range: >= 10.1.0-M1, < 10.1.0-M17
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 8.5 8.5.50 to 8.5.81
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-6j88-6whg-x687ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34305ghsaADVISORY
- security.gentoo.org/glsa/202208-34ghsavendor-advisoryx_refsource_GENTOOWEB
- www.openwall.com/lists/oss-security/2022/06/23/1ghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4kghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220729-0006ghsaWEB
- security.netapp.com/advisory/ntap-20220729-0006/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.