CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2011-2088
https://notcve.org/view.php?id=CVE-2011-2088
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3. XWork v2.2.1 en Apache Struts v2.2.1, y XWork OpenSymphony en OpenSymphony WebWork, permite a atacantes remotos obtener información sensible acerca de las rutas internas de clases Java a través de vectores implican un elemento s:submit y un método inexistente, una vulnerabilidad diferente de CVE-2011-1772.3. • http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html http://www.securityfocus.com/archive/1/518066/100/0/threaded http://www.ventuneac.net/security-advisories/MVSA-11-006 https://issues.apache.org/jira/browse/WW-3579 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.6EPSS: 0%CPEs: 30EXPL: 5CVE-2011-1772 – Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-1772
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en XWork en Apache Struts v2.x anterior a v2.2.3, y OpenSymphony XWork en OpenSymphony WebWork, permite a atacantes remotos inyectar código web script o HTML a través de vectores que implican (1) un "action name", (2) la acción atributo de un elemento "s:submit", o (3) el atributo del método del elemento "s:submit". Apache Struts 2 framework before version 2.2.3 is vulnerable to reflected cross site scripting attacks when default XWork generated error messages are displayed. • https://www.exploit-db.com/exploits/35735 http://jvn.jp/en/jp/JVN25435092/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2011-000106 http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html http://struts.apache.org/2.2.3/docs/version-notes-223.html http://struts.apache.org/2.x/docs/s2-006.html http://www.securityfocus.com/bid/47784 http://www.ventun • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •