Versions Compared

Old Version 11

changes.mady.by.user René Gielen

Saved on

compared with

New Version Current

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers

Impact of vulnerability

Injection of malicious client side code

Maximum security rating

Important

Recommendation

Developers using Struts 2 tags should immediately upgrade to Struts 2.2.1

Affected Software

Struts 2.0.0 - Struts 2.1.8.1

Original JIRA Tickets

WW-2414, WW-2427

CVE IdentifierCVE-2008-6682

Problem

For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered. The following scenarios are known:

...