Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1tM3g2LTl2NmgtNGcyOM4AAUxh

Moderate EPSS: 0.02936% (0.85846 Percentile) EPSS:
Permalink JSON

Cross-site Scripting in Apache Struts

Affected Packages Affected Versions Fixed Versions
maven:org.apache.struts:struts2-core >= 2.0.0, < 2.3.28 2.3.28
194 Dependent packages
6,183 Dependent repositories

Affected Version Ranges

All affected versions

2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24

All unaffected versions

2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0, 6.6.0, 6.6.1, 6.7.0, 6.7.4, 7.0.0, 7.0.3

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

References:

Identifiers

GHSA-m3x6-9v6h-4g28

CVE-2016-4003

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.02936

EPSS Percentile: 0.85846

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/struts

Date and time

Published

about 3 years ago

Updated

over 1 year ago

API

JSON