When reporting error messages, the SendMailServlet in Apache Tomcat does not filter user supplied data before it is displayed. This makes it possible for remote attackers to launch a Cross-site Scripting (XSS) attack.
The Apache Software Foundation
4.0.0 to 4.0.6
4.1.0 to 4.1.36
Undeploy the "Examples" web application.