Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qZ2NyLTljMnEtcnZwOM4AAgP6
Apache Struts is vulnerable to Cross-site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.
Permalink: https://github.com/advisories/GHSA-jgcr-9c2q-rvp8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZ2NyLTljMnEtcnZwOM4AAgP6
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 3 months ago
Identifiers: GHSA-jgcr-9c2q-rvp8, CVE-2008-6682
References:
- https://nvd.nist.gov/vuln/detail/CVE-2008-6682
- https://issues.apache.org/struts/browse/WW-2414
- https://issues.apache.org/struts/browse/WW-2427
- https://github.com/apache/struts/commit/09147ffad2b3046ed21af0f524c5088e2ac551e6
- https://github.com/apache/struts/commit/bd3f2f59c9b09f70aed3ebab6bb69b464ee2d6cb
- https://github.com/apache/struts/commit/dae026a0f0511f83852053bae9d5a622e7f80486
- https://web.archive.org/web/20080610075918/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.html
- https://web.archive.org/web/20080611112834/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html
- https://web.archive.org/web/20200229155553/http://www.securityfocus.com/bid/34686
- https://github.com/advisories/GHSA-jgcr-9c2q-rvp8
Blast Radius: 0.0
Affected Packages
maven:org.apache.struts:struts2-core
Dependent packages: 194Dependent repositories: 6,183
Downloads:
Affected Version Ranges: >= 2.1.0, < 2.1.1, >= 2.0.0, < 2.0.11.1
Fixed in: 2.1.1, 2.0.11.1
All affected versions:
All unaffected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0