A number of vulnerabilities have been discovered in the Apache Tomcat server: The default catalina.policy in the JULI logging component did not restrict certain permissions for web applications which could allow a remote attacker to modify logging configuration options and overwrite arbitrary files . A cross-site scripting vulnerability was found in the HttpServletResponse.sendError method which could allow a remote attacker to inject arbitrary web script or HTML via forged HTTP headers . A cross-site scripting vulnerability was found in the host manager application that could allow a remote attacker to inject arbitrary web script or HTML via the hostname parameter . A traversal vulnerability was found when using a RequestDispatcher in combination with a servlet or JSP that could allow a remote attacker to utilize a specially-crafted request parameter to access protected web resources . A traversal vulnerability was found when the "allowLinking" and "URIencoding" settings were actived which could allow a remote attacker to use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process . The updated packages have been patched to correct these issues.