Vulnerability Details : CVE-2011-1772
Potential exploit
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2011-1772
- cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:*:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:webwork:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-1772
75.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-1772
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.6
|
LOW | AV:N/AC:H/Au:N/C:N/I:P/A:N |
4.9
|
2.9
|
NIST |
CWE ids for CVE-2011-1772
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-1772
-
http://jvn.jp/en/jp/JVN25435092/index.html
JVN#25435092: Apache Struts vulnerable to cross-site scripting
-
http://struts.apache.org/2.2.3/docs/version-notes-223.html
Version Notes 2.2.3 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation
-
https://issues.apache.org/jira/browse/WW-3579
[WW-3579] Struts 2 <s:submit> XSS vulnerability - ASF JIRAPatch
-
http://www.vupen.com/english/advisories/2011/1198
Webmail | OVH- OVHVendor Advisory
-
http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html
Secure.App.Dev: Apache Struts 2, XWork, WebWork ... Reflected XSS VulnerabilitiesExploit
-
http://www.ventuneac.net/security-advisories/MVSA-11-006
MVSA-11-006 - Marian VentuneacExploit
-
http://www.securityfocus.com/bid/47784
Apache Struts XWork 's:submit' HTML Tag Cross Site Scripting VulnerabilityExploit
-
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000106
JVNDB-2011-000106 - JVN iPedia - 脆弱性対策情報データベース
-
http://struts.apache.org/2.x/docs/s2-006.html
S2-006 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationExploit;Patch
-
http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html
Secure.App.Dev
Jump to