Apache Struts is vulnerable to Cross-site Scripting

2022-05-1705:52:45

CWE-79

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6 Medium

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

84.0%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.

Affected configurations

Vulners

Node

org.apache.struts\struts2Matchcore

CPENameOperatorVersion
org.apache.struts:struts2-corelt2.1.1
org.apache.struts:struts2-corelt2.0.11.1

CPE	Name	Operator	Version
	org.apache.struts:struts2-core	lt	2.1.1
	org.apache.struts:struts2-core	lt	2.0.11.1

References

github.com/advisories/GHSA-jgcr-9c2q-rvp8

github.com/apache/struts/commit/09147ffad2b3046ed21af0f524c5088e2ac551e6

github.com/apache/struts/commit/bd3f2f59c9b09f70aed3ebab6bb69b464ee2d6cb

github.com/apache/struts/commit/dae026a0f0511f83852053bae9d5a622e7f80486

issues.apache.org/struts/browse/WW-2414

issues.apache.org/struts/browse/WW-2427

nvd.nist.gov/vuln/detail/CVE-2008-6682

web.archive.org/web/20080610075918/www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.html

web.archive.org/web/20080611112834/www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html

web.archive.org/web/20200229155553/www.securityfocus.com/bid/34686