The message argument of Apache Tomact's HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.   Credit:
The information has been provided by Mark Thomas.
The original article can be found at: http://tomcat.apache.org/security.html

Vulnerable Systems:
 * Tomcat versions 4.1.0 to 4.1.37
 * Tomcat versions 5.5.0 to 5.5.26
 * Tomcat versions 6.0.0 to 6.0.16

Immune Systems:
 * Tomcat versions 4.1.38
 * Tomcat versions 5.5.27
 * Tomcat versions 6.0.18

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947&view=rev

4.1.x users should obtain the latest source from svn or apply this patch which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680947&view=rev (connector only)
http://svn.apache.org/viewvc?rev=680948&view=rev

Example:
<%@page contentType="text/html"%>
<%
~ // some unicode characters, that result in CRLF being printed
~ final String CRLF = "\u010D\u010A";

~ final String payload = CRLF + CRLF + "<script type='text/javascript'>document.write('Hi, there!')</script><div style='display:none'>";
~ final String message = "Authorization is required to access " + payload;
~ response.sendError(403, message);
%>