A vulnerability has been reported in Apache Tomcat, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the "Accept-Language" header is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site, e.g. via a specially crafted Flash file. The vulnerability affects the following versions: * Tomcat 4.0.0 to 4.0.6 * Tomcat 4.1.0 to 4.1.34 * Tomcat 5.0.0 to 5.0.30 * Tomcat 5.5.0 to 5.5.20 * Tomcat 6.0.0 to 6.0.5 Solution: Update to 4.1.36, 5.5.21, 5.0.HEAD, or 6.0.6. Provided and/or discovered by: The vendor credits Masato Anzai and Toshiharu Sugiyama. Original Advisory: http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html JVN: http://jvn.jp/jp/JVN%2316535199/index.html Reproducible: Always
ooops we arent affected by this vuln - sorry guys