Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.
github.com/apache/struts
github.com/apache/struts/commit/09147ffad2b3046ed21af0f524c5088e2ac551e6
github.com/apache/struts/commit/bd3f2f59c9b09f70aed3ebab6bb69b464ee2d6cb
github.com/apache/struts/commit/dae026a0f0511f83852053bae9d5a622e7f80486
issues.apache.org/struts/browse/WW-2414
issues.apache.org/struts/browse/WW-2427
nvd.nist.gov/vuln/detail/CVE-2008-6682
web.archive.org/web/20080610075918/www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.html
web.archive.org/web/20080611112834/www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html
web.archive.org/web/20200229155553/www.securityfocus.com/bid/34686