Apache Struts Cross Site Scripting Vulnerability Network Vulnerability

Summary

This host is running Apache Struts and is prone to Cross Site Scripting Vulnerability.

Impact

Successful exploitation will let the attacker issue malicious URL or can inject malicious codes inside the web page contents to gain sensitive information. Impact Level: Application

Solution

Upgrade to Apache Struts version 2.1.1 or 2.0.11.1. http://struts.apache.org/download.cgi

Insight

This flaw is due to improper sanitization of the user supplied input in '<s:url>' and '<s:a ...>' tag which doesn't encode the URL parameter when specified in the action attribute which causes XSS attacks.

Affected

Apache Struts version 2.0 and prior to 2.0.11.1 Apache Struts version 2.1 and prior to 2.1.1

References

https://issues.apache.org/struts/browse/WW-2414
https://issues.apache.org/struts/browse/WW-2427

Updated on 2015-03-25

Severity

Classification

CVE CVE-2008-6682
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Archiva Home Page Cross-Site Scripting vulnerability
Adobe ColdFusion Multiple Path Disclosure Vulnerabilities
Apache Tomcat Information Disclosure Vulnerability
AN Guestbook Local File Inclusion Vulnerability
AlienForm CGI script

Take action and discover your vulnerabilities