...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Injection of malicious client side code |
Maximum security rating | Important |
Recommendation | Developers using Struts 2 tags should immediately upgrade to Struts 2.02.11.1 |
Affected Software | Struts 2.0.0 - Struts 2.1.08.111 |
Original JIRA Tickets | |
CVE Identifier | CVE-2008-6682 |
Problem
For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered. The following scenarios are known:
...