CVE-2011-2087
EPSS 1.4%Apache Struts Multiple XSS Vulnerabilities
Published: 5/17/2022Modified: 12/2/2024
Also known as:GHSA-5pgj-r7c6-7c7w
Description
Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a `.action` URI, related to improper handling of value attributes in 1. `FileHandler.java` 1. `HiddenHandler.java` 1. `PasswordHandler.java` 1. `RadioHandler.java` 1. `ResetHandler.java` 1. `SelectHandler.java` 1. `SubmitHandler.java` 1. `TextFieldHandler.java`
Affected packages (1)
- Maven/org.apache.struts:struts2-parentfrom 0, < 2.2.3
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2011-2087
- PATCHhttps://github.com/apache/struts
- WEBhttps://github.com/apache/struts/commit/1736b56db702c6639a6d5ae1146dba5a262e3344
- WEBhttps://issues.apache.org/jira/browse/WW-3597
- WEBhttps://issues.apache.org/jira/browse/WW-3608
- WEBhttp://struts.apache.org/2.2.3/docs/version-notes-223.html