Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yYzZxLXJndmotNjZyeM3D_g
Apache Tiles Vulnerable to XSS via EL Expression Injection
Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute
and (2) tiles:insertTemplate
JSP tags.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yYzZxLXJndmotNjZyeM3D_g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 3 months ago
Identifiers: GHSA-2c6q-rgvj-66rx, CVE-2009-1275
References:
- https://nvd.nist.gov/vuln/detail/CVE-2009-1275
- http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913
- https://github.com/advisories/GHSA-2c6q-rgvj-66rx
Blast Radius: 0.0
Affected Packages
maven:org.apache.tiles:tiles-core
Dependent packages: 62Dependent repositories: 7,904
Downloads:
Affected Version Ranges: >= 2.1, < 2.1.2
Fixed in: 2.1.2
All affected versions: 2.1.0, 2.1.1
All unaffected versions: 2.0.1, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 3.0.0, 3.0.1, 3.0.3, 3.0.4, 3.0.5, 3.0.7, 3.0.8