CVE-2006-1546

Apache Struts < 1.2.9 - Request Validation Bypass via Cancel Parameter

Title source: llm
STIX 2.1

Description

Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.

References (11)

Core 11
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015856
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1205
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17342
Various Sources x_refsource_confirm
http://issues.apache.org/bugzilla/show_bug.cgi?id=38374
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19493
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/25612
Various Sources vendor-advisory x_refsource_suse
http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20117

Scores

EPSS 0.0614
EPSS Percentile 92.7%

Details

Status published
Products (2)
apache/struts < 1.2.8
struts/struts 0 - 1.2.9Maven
Published Mar 30, 2006
Tracked Since Feb 18, 2026