CVE-2011-1772
Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
5Exploited in Wild
-Decision
Descriptions
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en XWork en Apache Struts v2.x anterior a v2.2.3, y OpenSymphony XWork en OpenSymphony WebWork, permite a atacantes remotos inyectar código web script o HTML a través de vectores que implican (1) un "action name", (2) la acción atributo de un elemento "s:submit", o (3) el atributo del método del elemento "s:submit".
Apache Struts 2 framework before version 2.2.3 is vulnerable to reflected cross site scripting attacks when default XWork generated error messages are displayed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2011-04-19 CVE Reserved
- 2011-05-10 First Exploit
- 2011-05-11 CVE Published
- 2024-05-29 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (11)
URL | Tag | Source |
---|---|---|
http://jvn.jp/en/jp/JVN25435092/index.html | Third Party Advisory | |
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000106 | Third Party Advisory | |
http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html | X_refsource_misc | |
http://struts.apache.org/2.2.3/docs/version-notes-223.html | X_refsource_confirm |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/35735 | 2011-05-10 | |
http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html | 2024-08-06 | |
http://struts.apache.org/2.x/docs/s2-006.html | 2024-08-06 | |
http://www.securityfocus.com/bid/47784 | 2024-08-06 | |
http://www.ventuneac.net/security-advisories/MVSA-11-006 | 2024-08-06 |
URL | Date | SRC |
---|---|---|
https://issues.apache.org/jira/browse/WW-3579 | 2012-01-19 |
URL | Date | SRC |
---|---|---|
http://www.vupen.com/english/advisories/2011/1198 | 2012-01-19 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.0 Search vendor "Apache" for product "Struts" and version "2.0.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.1 Search vendor "Apache" for product "Struts" and version "2.0.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.2 Search vendor "Apache" for product "Struts" and version "2.0.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.3 Search vendor "Apache" for product "Struts" and version "2.0.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.4 Search vendor "Apache" for product "Struts" and version "2.0.4" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.5 Search vendor "Apache" for product "Struts" and version "2.0.5" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.6 Search vendor "Apache" for product "Struts" and version "2.0.6" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.7 Search vendor "Apache" for product "Struts" and version "2.0.7" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.8 Search vendor "Apache" for product "Struts" and version "2.0.8" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.9 Search vendor "Apache" for product "Struts" and version "2.0.9" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.10 Search vendor "Apache" for product "Struts" and version "2.0.10" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.11 Search vendor "Apache" for product "Struts" and version "2.0.11" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.11.1 Search vendor "Apache" for product "Struts" and version "2.0.11.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.11.2 Search vendor "Apache" for product "Struts" and version "2.0.11.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.12 Search vendor "Apache" for product "Struts" and version "2.0.12" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.13 Search vendor "Apache" for product "Struts" and version "2.0.13" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.0.14 Search vendor "Apache" for product "Struts" and version "2.0.14" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.0 Search vendor "Apache" for product "Struts" and version "2.1.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.1 Search vendor "Apache" for product "Struts" and version "2.1.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.2 Search vendor "Apache" for product "Struts" and version "2.1.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.3 Search vendor "Apache" for product "Struts" and version "2.1.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.4 Search vendor "Apache" for product "Struts" and version "2.1.4" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.5 Search vendor "Apache" for product "Struts" and version "2.1.5" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.6 Search vendor "Apache" for product "Struts" and version "2.1.6" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.8 Search vendor "Apache" for product "Struts" and version "2.1.8" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.1.8.1 Search vendor "Apache" for product "Struts" and version "2.1.8.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.2.1 Search vendor "Apache" for product "Struts" and version "2.2.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.2.1.1 Search vendor "Apache" for product "Struts" and version "2.2.1.1" | - |
Affected
| ||||||
Opensymphony Search vendor "Opensymphony" | Webwork Search vendor "Opensymphony" for product "Webwork" | * | - |
Affected
| ||||||
Opensymphony Search vendor "Opensymphony" | Xwork Search vendor "Opensymphony" for product "Xwork" | * | - |
Affected
|