CVE-2018-8031 - OpenCVE

The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Tomee

Configuration 1 [-]

cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2018-07-23T22:00:00Z

Updated: 2024-09-16T17:58:50.281Z

Reserved: 2018-03-09T00:00:00

Link: CVE-2018-8031

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-07-23T22:29:00.253

Modified: 2023-11-07T03:01:22.140

Link: CVE-2018-8031

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache TomEE", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "< 7.0.5"}]}], "datePublic": "2018-07-23T00:00:00", "descriptions": [{"lang": "en", "value": "The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863."}], "problemTypes": [{"descriptions": [{"description": "Cross site scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-02-20T20:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[tomee-dev] 20180723 CVE-2018-8031 Apache TomEE Webapp XSS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-07-23T00:00:00", "ID": "CVE-2018-8031", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache TomEE", "version": {"version_data": [{"version_value": "< 7.0.5"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross site scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "[tomee-dev] 20180723 CVE-2018-8031 Apache TomEE Webapp XSS", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d@%3Cdev.tomee.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:46:11.547Z"}, "title": "CVE Program Container", "references": [{"name": "[tomee-dev] 20180723 CVE-2018-8031 Apache TomEE Webapp XSS", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-8031", "datePublished": "2018-07-23T22:00:00Z", "dateReserved": "2018-03-09T00:00:00", "dateUpdated": "2024-09-16T17:58:50.281Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*", "matchCriteriaId": "76154260-DF7F-4EE3-9E20-BD8AEE7318AA", "versionEndExcluding": "7.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863."}, {"lang": "es", "value": "La consola de Apache TomEE (tomee-webapp) tiene una vulnerabilidad Cross-Site Scripting (XSS) que podr\u00eda permitir la ejecuci\u00f3n de JavaScript si al usuario se le proporciona una URL maliciosa. Esta aplicaci\u00f3n web suele emplearse para agregar funcionalidades de TomEE a una instalaci\u00f3n de Tomcat. Los paquetes de TomEE no se distribuyen con la aplicaci\u00f3n incluida. Este problema puede mitigarse eliminando la aplicaci\u00f3n tras haber establecido TomEE (si se emplea la aplicaci\u00f3n para instalar TomEE), empleando uno de los paquetes preconfigurados proporcionados o actualizando a TomEE 7.0.5. Este problema se ha resuelto en el siguiente commit con ID b8bbf50c23ce97dd64f3a5d77f78f84e47579863."}], "id": "CVE-2018-8031", "lastModified": "2023-11-07T03:01:22.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-23T22:29:00.253", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/c4b0d83a534d6cdf2de54dbbd00e3538072ac2e360781b784608ed0d%40%3Cdev.tomee.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}