H3-2022-0047¶

Apache Tomcat Example Scripts Exposed

Description¶

Apache Tomcat, a widely used web server and servlet container, often comes with a set of example scripts intended to demonstrate its capabilities. These example scripts were found to be left accessible on a publicly facing server. An attacker can exploit this misconfiguration by navigating to the URLs of these example scripts and manipulating them to perform actions such as Cross-Site Scripting (XSS) attacks or gaining insights into the server's configurations and operations.

Impact¶

The impact of exploiting this misconfiguration is exposure of internal server information and potentially allowing an attacker to execute arbitrary JavaScript within the context of another user's session through a XSS attack.

References¶

• Apache Tomcat vulnerabilities
• CWE-1188: Initialization of a Resource with an Insecure Default