Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-VWHV-J36G-5RM8
HistoryMay 14, 2022 - 1:57 a.m.

Cross-site Scripting in Apache Struts

2022-05-1401:57:02
CWE-79
GitHub Advisory Database
github.com
9

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.005 Low

EPSS

Percentile

76.0%

JSON

When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the ‘Problem Report’ screen. Also if JSP files are exposed to be accessed directly it’s possible to execute an arbitrary script.

It is generally not advisable to have debug mode switched on outside of the development environment. Debug mode should always be turned off in production setup. Also never expose JSPs files directly and hide them inside WEB-INF folder or define dedicated security constraints to block access to raw JSP files.

Struts >= 2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts 2.3.20 or higher.

Affected configurations

Vulners
Node
org.apache.struts\struts2Matchcore
CPENameOperatorVersion
org.apache.struts:struts2-corelt2.3.20

Related

prion 1
osv 1
jvn 1
cve 1
f5 2
cvelist 1
openvas 2
nvd 1
ubuntucve 1
nessus 1
ibm 2
prion
prion
Cross site scripting
2017-09-25 21:29:00
osv
osv
Cross-site Scripting in Apache Struts
2022-05-14 01:57:02
jvn
jvn
JVN#95989300: Apache Struts vulnerable to cross-site scripting
2015-09-04 00:00:00
cve
cve
CVE-2015-5169
2017-09-25 21:29:00
f5
f5
SOL17449 - Apache Struts 2 vulnerability CVE-2015-5169
2015-10-16 00:00:00
K17449 : Apache Struts 2 vulnerability CVE-2015-5169
2015-10-16 00:00:00
cvelist
cvelist
CVE-2015-5169
2017-09-25 21:00:00
openvas
openvas
Apache Struts 'Problem Report' XSS Vulnerability (S2-025)
2017-10-06 00:00:00
Apache Struts Security Update (S2-021, S2-022, S2-023, S2-025)
2019-08-28 00:00:00
nvd
nvd
CVE-2015-5169
2017-09-25 21:29:00
ubuntucve
ubuntucve
CVE-2015-5169
2017-09-25 00:00:00
nessus
nessus
Apache Struts 2 Multiple Vulnerabilities (S2-023) (S2-025)
2014-12-10 00:00:00
ibm
ibm
Security Bulletin: IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)
2022-09-14 17:37:56
Security Bulletin: IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)
2022-09-14 17:45:15

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.005 Low

EPSS

Percentile

76.0%

JSON
Related for GHSA-VWHV-J36G-5RM8
prion1osv1jvn1cve1f52cvelist1openvas2nvd1ubuntucve1nessus1ibm2