I have a strange issue, I am trying to track down the root cause for an
ancient CVE-2006-1548


I can replicate the XSS in Tomcat 4.0.6, however in Tomcat 6.0.37 the html
characters needed to inject the script are properly encoded, what is the
mechanism for this? I haven't been able to determine why ServletException
handles the message parameter different between versioning.

Can anyone point me in the right direction?


Reply via email to