Description

Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.

Remediation

References

http://issues.apache.org/bugzilla/show_bug.cgi?id=38749

http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html

http://secunia.com/advisories/19493

http://secunia.com/advisories/20117

http://securitytracker.com/id?1015856

http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html

http://www.securityfocus.com/bid/17342

http://www.vupen.com/english/advisories/2006/1205

https://exchange.xforce.ibmcloud.com/vulnerabilities/25614

https://issues.apache.org/struts/browse/STR-2781

Related Vulnerabilities

CVE-2016-3726 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2015-0254 Vulnerability in maven package org.apache.taglibs:taglibs-standard-impl

CVE-2019-10170 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2020-28450 Vulnerability in npm package decal

CVE-2021-43843 Vulnerability in npm package jsx-slack

Severity

Critical

Tags

NVD-CWE-Other