THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Summary
| Excerpt |
|---|
Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags |
Who should read this | All Struts 2 developers |
|---|---|
Impact of vulnerability | Injection of malicious client side code |
Maximum security rating | Important |
Recommendation | Developers using Struts 2 tags should immediately upgrade to Struts 2. |
2.1 | |
Affected Software | Struts 2.0.0 - Struts 2.1. |
|---|
8. |
1 | |
Original JIRA Tickets | |
|---|---|
| CVE Identifier | CVE-2008-6682 |
Problem
For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered. The following scenarios are known:
- A parameter value included in the construction of a <s:a> result can inject an unescaped double quote, thus being able to inject code in the resulting HTML by escaping the rendered
hrefattribute. - Both the <s:url> and the <s:a> tag fail to escape <script> tags when
includeParamsis set to any other value than "none", which can be exploited by calling the containing JSP/action with GET parameters such ashttp://localhost/foo/bar.action?<script>alert(1)</script>test=hello
...
- Double quotes do get escaped for parameter values used to constuct the output of a <s:a> tag
- <script> tokens do get recursively escaped for parameter values used to contruct the output of <s:a> and <s:url> tags
You can obtain Struts Later findings revealed that 2.0.11.1 as a drop in replacement for Struts 2.0.11 to get the fixed Struts 2 core library.does not fix the issue properly.
Minimum required version fixing this particular issue: 2.2.1