Apache Struts Cross Site Scripting Vulnerability Network Vulnerability

Summary

This host is running Apache Struts and is prone to Cross Site Scripting Vulnerability.

Impact

Successful exploitation will let the attacker issue malicious URL or can inject malicious codes inside the web page contents to gain sensitive information. Impact Level: Application

Solution

Upgrade to Apache Struts version 2.1.1 or 2.0.11.1. http://struts.apache.org/download.cgi

Insight

This flaw is due to improper sanitization of the user supplied input in '<s:url>' and '<s:a ...>' tag which doesn't encode the URL parameter when specified in the action attribute which causes XSS attacks.

Affected

Apache Struts version 2.0 and prior to 2.0.11.1 Apache Struts version 2.1 and prior to 2.1.1

References

https://issues.apache.org/struts/browse/WW-2414
https://issues.apache.org/struts/browse/WW-2427

Updated on 2015-03-25

Severity

Classification

CVE CVE-2008-6682

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Adobe JRun Management Console Multiple Vulnerabilities
Apache Tomcat Information Disclosure Vulnerability
Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities
APC PowerChute Network Shutdown HTTP Response Splitting Vulnerability

Take action and discover your vulnerabilities