Vulnerability Description
Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Struts | All versions |
| Apache | Tiles | 2.1.0 |
References
- http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/securitVendor Advisory
- http://www.securityfocus.com/bid/34657
- https://issues.apache.org/struts/browse/TILES-351Vendor Advisory
- http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/securitVendor Advisory
- http://www.securityfocus.com/bid/34657
- https://issues.apache.org/struts/browse/TILES-351Vendor Advisory
FAQ
What is CVE-2009-1275?
CVE-2009-1275 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cros...
How severe is CVE-2009-1275?
CVE-2009-1275 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-1275?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Apache Tiles.