#VU90113 Cross-site scripting in Apache Struts - CVE-2011-1772
Published: May 31, 2024
Vulnerability identifier: #VU90113
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
CVE-ID: CVE-2011-1772
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Apache Struts
Apache Struts
Software vendor:
Apache Foundation
Apache Foundation
Description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
External links
- http://jvn.jp/en/jp/JVN25435092/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2011-000106
- http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html
- http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html
- http://struts.apache.org/2.2.3/docs/version-notes-223.html
- http://struts.apache.org/2.x/docs/s2-006.html
- http://www.securityfocus.com/bid/47784
- http://www.ventuneac.net/security-advisories/MVSA-11-006
- http://www.vupen.com/english/advisories/2011/1198
- https://issues.apache.org/jira/browse/WW-3579