GHSA-2c6q-rgvj-66rx

Suggest an improvement
Source
https://github.com/advisories/GHSA-2c6q-rgvj-66rx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2c6q-rgvj-66rx/GHSA-2c6q-rgvj-66rx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2c6q-rgvj-66rx
Aliases
Published
2022-05-02T03:23:16Z
Modified
2024-12-06T05:37:15.914229Z
Summary
Apache Tiles Vulnerable to XSS via EL Expression Injection
Details

Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.

Database specific 
{
    "nvd_published_at": "2009-04-09T15:08:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2024-01-23T18:19:44Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-87",
        "CWE-917"
    ]
}
References

Affected packages

Maven / org.apache.tiles:tiles-core

Package

Name
org.apache.tiles:tiles-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tiles/tiles-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1
Fixed
2.1.2

Affected versions

2.*

2.1.0
2.1.1