{"containers": {"cna": {"affected": [{"product": "Apache TomEE", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "< 7.0.5"}]}], "datePublic": "2018-07-23T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863."}], "problemTypes": [{"descriptions": [{"description": "Cross site scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-02-20T20:57:01.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[tomee-dev] 20180723 CVE-2018-8031 Apache TomEE Webapp XSS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-07-23T00:00:00", "ID": "CVE-2018-8031", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache TomEE", "version": {"version_data": [{"version_value": "< 7.0.5"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross site scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "[tomee-dev] 20180723 CVE-2018-8031 Apache TomEE Webapp XSS", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d@%3Cdev.tomee.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:46:11.547Z"}, "title": "CVE Program Container", "references": [{"name": "[tomee-dev] 20180723 CVE-2018-8031 Apache TomEE Webapp XSS", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-8031", "datePublished": "2018-07-23T22:00:00.000Z", "dateReserved": "2018-03-09T00:00:00.000Z", "dateUpdated": "2024-09-16T17:58:50.281Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*", "matchCriteriaId": "76154260-DF7F-4EE3-9E20-BD8AEE7318AA", "versionEndExcluding": "7.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863."}, {"lang": "es", "value": "La consola de Apache TomEE (tomee-webapp) tiene una vulnerabilidad Cross-Site Scripting (XSS) que podr\u00eda permitir la ejecuci\u00f3n de JavaScript si al usuario se le proporciona una URL maliciosa. Esta aplicaci\u00f3n web suele emplearse para agregar funcionalidades de TomEE a una instalaci\u00f3n de Tomcat. Los paquetes de TomEE no se distribuyen con la aplicaci\u00f3n incluida. Este problema puede mitigarse eliminando la aplicaci\u00f3n tras haber establecido TomEE (si se emplea la aplicaci\u00f3n para instalar TomEE), empleando uno de los paquetes preconfigurados proporcionados o actualizando a TomEE 7.0.5. Este problema se ha resuelto en el siguiente commit con ID b8bbf50c23ce97dd64f3a5d77f78f84e47579863."}], "id": "CVE-2018-8031", "lastModified": "2024-11-21T04:13:07.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-23T22:29:00.253", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}