GHSA-56f8-g68r-j699
Suggest an improvement- Source
- https://github.com/advisories/GHSA-56f8-g68r-j699
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-56f8-g68r-j699/GHSA-56f8-g68r-j699.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-56f8-g68r-j699
- Aliases
-
- CVE-2011-1772
- Published
- 2022-05-17T05:35:28Z
- Modified
- 2024-12-04T05:41:11.148238Z
- Summary
- Cross-site Scripting in Apache Struts
- Details
-
Multiple Cross-Site Scripting (XSS) in XWork generated error pages in Apache Struts. By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation (DMI) is enabled, the action name is generated dynamically base on request parameters. This allows to call non-existing page and method to produce error page with injected code as below. As of Struts 2.2.3 the action names are escaped when automatically generated error pages are rendered.
- Database specific
{ "github_reviewed": true, "severity": "LOW", "github_reviewed_at": "2022-11-03T23:10:43Z", "nvd_published_at": "2011-05-13T17:05:00Z", "cwe_ids": [ "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2011-1772
- https://github.com/apache/struts
- https://issues.apache.org/jira/browse/WW-3579
- http://jvn.jp/en/jp/JVN25435092/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2011-000106
- http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html
- http://struts.apache.org/2.2.3/docs/version-notes-223.html
- http://struts.apache.org/2.x/docs/s2-006.html
Affected packages
Maven / org.apache.struts:struts2-core
Package
- Name
- org.apache.struts:struts2-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.struts/struts2-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2.3