CVE-2009-1275 : Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, eval

Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.

Published 2009-04-09 15:08:36

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2009-1275

Apache » Tiles » Version: 2.1.1
cpe:2.3:a:apache:tiles:2.1.1:*:*:*:*:*:*:*
Matching versions
When used together with: Apache » Struts
Apache » Tiles » Version: 2.1.0
cpe:2.3:a:apache:tiles:2.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: Apache » Struts

Exploit prediction scoring system (EPSS) score for CVE-2009-1275

EPSS FAQ

2.83%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 85 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-1275

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

References for CVE-2009-1275

http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913

Vendor Advisory
https://issues.apache.org/struts/browse/TILES-351

404 Not Found
Vendor Advisory
http://www.securityfocus.com/bid/34657

Jump to

Vulnerability Details : CVE-2009-1275

Products affected by CVE-2009-1275

Exploit prediction scoring system (EPSS) score for CVE-2009-1275

CVSS scores for CVE-2009-1275

References for CVE-2009-1275