Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Struts | 2.0.0 |
| Opensymphony | Webwork | All versions |
| Opensymphony | Xwork | All versions |
Related Weaknesses (CWE)
References
- http://jvn.jp/en/jp/JVN25435092/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2011-000106
- http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pag
- http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflectedExploit
- http://struts.apache.org/2.2.3/docs/version-notes-223.html
- http://struts.apache.org/2.x/docs/s2-006.htmlExploitPatch
- http://www.securityfocus.com/bid/47784Exploit
- http://www.ventuneac.net/security-advisories/MVSA-11-006Exploit
- http://www.vupen.com/english/advisories/2011/1198Vendor Advisory
- https://issues.apache.org/jira/browse/WW-3579Patch
- http://jvn.jp/en/jp/JVN25435092/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2011-000106
- http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pag
- http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflectedExploit
- http://struts.apache.org/2.2.3/docs/version-notes-223.html
FAQ
What is CVE-2011-1772?
CVE-2011-1772 is a vulnerability with a CVSS score of 2.6 (LOW). Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or...
How severe is CVE-2011-1772?
CVE-2011-1772 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-1772?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Opensymphony Webwork, Opensymphony Xwork.