CVE-2009-1275: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 2, 2022 (updated January 23, 2024)

Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.

References

svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913
github.com/advisories/GHSA-2c6q-rgvj-66rx
nvd.nist.gov/vuln/detail/CVE-2009-1275

Code Behaviors & Features

Detect and mitigate CVE-2009-1275 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →