CVE-2007-1358

CVE Descriptions

Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	2.6		AV:N/AC:H/Au:N/C:N/I:P/A:N	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	7.34%	–	–
2022-04-03	–	–	7.34%	–	–
2023-02-26	–	–	7.34%	–	–
2023-03-12	–	–	–	93.98%	–
2023-04-09	–	–	–	93.76%	–
2023-06-25	–	–	–	93.66%	–
2023-10-15	–	–	–	89.37%	–
2023-11-12	–	–	–	80.86%	–
2023-12-31	–	–	–	82.21%	–
2024-02-04	–	–	–	80.13%	–
2024-03-17	–	–	–	76.82%	–
2024-06-02	–	–	–	71.84%	–
2024-07-07	–	–	–	72.91%	–
2024-08-25	–	–	–	72.88%	–
2024-12-22	–	–	–	62.91%	–
2025-01-12	–	–	–	60.72%	–
2025-01-19	–	–	–	60.72%	–
2025-03-18	–	–	–	–	68.12%
2025-03-30	–	–	–	–	56.95%
2025-04-15	–	–	–	–	51.55%
2025-04-15	–	–	–	–	51.55,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	81%
2022-04-03	92%
2023-02-26	93%
2023-03-12	99%
2023-04-09	99%
2023-06-25	99%
2023-10-15	98%
2023-11-12	98%
2023-12-31	98%
2024-02-04	98%
2024-03-17	98%
2024-06-02	98%
2024-07-07	98%
2024-08-25	98%
2024-12-22	98%
2025-01-12	98%
2025-01-19	98%
2025-03-18	99%
2025-03-30	98%
2025-04-15	98%
2025-04-15	98%

Products Mentioned

Configuraton 0

Apache>>Tomcat >> Version To (including) 4.1.31

Apache>>Tomcat >> Version - (Open CPE detail)
Apache>>Tomcat >> Version 1.1.3 (Open CPE detail)
Apache>>Tomcat >> Version 3.0 (Open CPE detail)
Apache>>Tomcat >> Version 3.1 (Open CPE detail)
Apache>>Tomcat >> Version 3.1.1 (Open CPE detail)
Apache>>Tomcat >> Version 3.2 (Open CPE detail)
Apache>>Tomcat >> Version 3.2.1 (Open CPE detail)
Apache>>Tomcat >> Version 3.2.2 (Open CPE detail)
Apache>>Tomcat >> Version 3.2.2 (Open CPE detail)
Apache>>Tomcat >> Version 3.2.3 (Open CPE detail)
Apache>>Tomcat >> Version 3.2.4 (Open CPE detail)
Apache>>Tomcat >> Version 3.3 (Open CPE detail)
Apache>>Tomcat >> Version 3.3.1 (Open CPE detail)
Apache>>Tomcat >> Version 3.3.1a (Open CPE detail)
Apache>>Tomcat >> Version 3.3.2 (Open CPE detail)
Apache>>Tomcat >> Version 4 (Open CPE detail)
Apache>>Tomcat >> Version 4.0.0 (Open CPE detail)
Apache>>Tomcat >> Version 4.0.1 (Open CPE detail)
Apache>>Tomcat >> Version 4.0.2 (Open CPE detail)
Apache>>Tomcat >> Version 4.0.3 (Open CPE detail)
Apache>>Tomcat >> Version 4.0.4 (Open CPE detail)
Apache>>Tomcat >> Version 4.0.5 (Open CPE detail)
Apache>>Tomcat >> Version 4.0.6 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.0 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.1 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.2 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.3 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.3 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.4 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.5 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.6 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.8 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.9 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.10 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.11 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.12 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.13 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.14 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.15 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.16 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.17 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.18 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.19 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.20 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.21 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.22 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.23 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.24 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.25 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.26 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.27 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.28 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.29 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.30 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.31 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.0

Apache>>Tomcat >> Version 4.0.0 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.1

Apache>>Tomcat >> Version 4.0.1 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.2

Apache>>Tomcat >> Version 4.0.2 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.3

Apache>>Tomcat >> Version 4.0.3 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.4

Apache>>Tomcat >> Version 4.0.4 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.5

Apache>>Tomcat >> Version 4.0.5 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.6

Apache>>Tomcat >> Version 4.0.6 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.0

Apache>>Tomcat >> Version 4.1.0 (Open CPE detail)

References

http://tomcat.apache.org/security-4.html
Tags : x_refsource_CONFIRM

http://secunia.com/advisories/30908
Tags : third-party-advisory, x_refsource_SECUNIA

http://secunia.com/advisories/25721
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2007/2732
Tags : vdb-entry, x_refsource_VUPEN

http://rhn.redhat.com/errata/RHSA-2008-0630.html
Tags : vendor-advisory, x_refsource_REDHAT

http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
Tags : vendor-advisory, x_refsource_SUNALERT

http://www.vupen.com/english/advisories/2007/3087
Tags : vdb-entry, x_refsource_VUPEN

http://secunia.com/advisories/30899
Tags : third-party-advisory, x_refsource_SECUNIA

https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
Tags : vendor-advisory, x_refsource_FEDORA

http://secunia.com/advisories/31493
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2008/1979/references
Tags : vdb-entry, x_refsource_VUPEN

http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
Tags : vendor-advisory, x_refsource_APPLE

http://www.securityfocus.com/archive/1/500412/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://secunia.com/advisories/33668
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.securityfocus.com/archive/1/500396/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://www.vupen.com/english/advisories/2007/1729
Tags : vdb-entry, x_refsource_VUPEN

http://osvdb.org/34881
Tags : vdb-entry, x_refsource_OSVDB

http://www.securityfocus.com/bid/24524
Tags : vdb-entry, x_refsource_BID

http://www.vupen.com/english/advisories/2009/0233
Tags : vdb-entry, x_refsource_VUPEN

http://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.html
Tags : x_refsource_CONFIRM

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10679
Tags : vdb-entry, signature, x_refsource_OVAL

http://www.vupen.com/english/advisories/2007/3386
Tags : vdb-entry, x_refsource_VUPEN

http://www.securityfocus.com/archive/1/471719/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://secunia.com/advisories/27037
Tags : third-party-advisory, x_refsource_SECUNIA

http://docs.info.apple.com/article.html?artnum=306172
Tags : x_refsource_CONFIRM

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
Tags : vendor-advisory, x_refsource_HP

http://secunia.com/advisories/27727
Tags : third-party-advisory, x_refsource_SECUNIA

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
Tags : vendor-advisory, x_refsource_HP

http://jvn.jp/jp/JVN%2316535199/index.html
Tags : third-party-advisory, x_refsource_JVN

http://www.securityfocus.com/bid/25159
Tags : vdb-entry, x_refsource_BID

http://secunia.com/advisories/26660
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.redhat.com/support/errata/RHSA-2008-0261.html
Tags : vendor-advisory, x_refsource_REDHAT

http://www.securitytracker.com/id?1018269
Tags : vdb-entry, x_refsource_SECTRACK

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
Tags : x_refsource_CONFIRM

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
Tags : x_refsource_CONFIRM

http://secunia.com/advisories/26235
Tags : third-party-advisory, x_refsource_SECUNIA

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

CVE-2007-1358 : Detail