CVE-2011-2087: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 17, 2022 (updated January 19, 2024)

Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler.java.

References

struts.apache.org/2.2.3/docs/version-notes-223.html
github.com/advisories/GHSA-5pgj-r7c6-7c7w
github.com/apache/struts/commit/1736b56db702c6639a6d5ae1146dba5a262e3344
issues.apache.org/jira/browse/WW-3597
issues.apache.org/jira/browse/WW-3608
nvd.nist.gov/vuln/detail/CVE-2011-2087

Code Behaviors & Features

Detect and mitigate CVE-2011-2087 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →