CVE-2022-34305

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

Published: Jun 23, 2022
Updated: May 9, 2024
CVE: CVE-2022-34305
GHSA: GHSA-6j88-6whg-x687
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
apache / tomcat	10.1.0-milestone3	10.1.0-milestone3.x
apache / tomcat	10.1.0-milestone4	10.1.0-milestone4.x
apache / tomcat	10.1.0-milestone5	10.1.0-milestone5.x
apache / tomcat	10.1.0-milestone1	10.1.0-milestone1.x
apache / tomcat	10.1.0-milestone2	10.1.0-milestone2.x
apache / tomcat	10.1.0-milestone7	10.1.0-milestone7.x
apache / tomcat	10.1.0-milestone8	10.1.0-milestone8.x
apache / tomcat	10.1.0-milestone9	10.1.0-milestone9.x
apache / tomcat	10.1.0-milestone6	10.1.0-milestone6.x
apache / tomcat	10.1.0-milestone10	10.1.0-milestone10.x
apache / tomcat	10.1.0-milestone11	10.1.0-milestone11.x
apache / tomcat	10.1.0-milestone12	10.1.0-milestone12.x
apache / tomcat	10.1.0-milestone13	10.1.0-milestone13.x
apache / tomcat	10.1.0-milestone14	10.1.0-milestone14.x
apache / tomcat	10.1.0-milestone16	10.1.0-milestone16.x
apache / tomcat	10.1.0-milestone15	10.1.0-milestone15.x
apache / tomcat	9.0.30	9.0.64.x
apache / tomcat	8.5.50	8.5.81.x
apache / tomcat	10.0.0	10.0.22.x
org.apache.tomcat / tomcat	10.1.0-M1	10.1.0-M17
org.apache.tomcat / tomcat	10.0.0-M1	10.0.22
org.apache.tomcat / tomcat	9.0.30	9.0.65
org.apache.tomcat / tomcat	8.5.50	8.5.82

Vulnerability Database

289,599

CVE-2022-34305