Apache Struts Multiple Function Error Message XSS

2006-02-22T10:17:36
ID OSVDB:24365
Type osvdb
Reporter OSVDB
Modified 2006-02-22T10:17:36

Description

Solution Description

Upgrade to version 1.2.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes

http://[target]:8988/[path]/browse.do?act=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&select=1177281

References:

Vendor URL: http://struts.apache.org/ Vendor Specific News/Changelog Entry: http://issues.apache.org/bugzilla/show_bug.cgi?id=38749 Vendor Specific News/Changelog Entry: http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html Security Tracker: 1015856 Secunia Advisory ID:20117 Secunia Advisory ID:19493 Related OSVDB ID: 24363 Related OSVDB ID: 24364 Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html CVE-2006-1548 Bugtraq ID: 17342