CVE-2008-6682

Apache Struts 2.0.0-2.0.11 and 2.1.0 - Cross-Site Scripting via s:a href and s:url action Attributes

Title source: llm
STIX 2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.

Scores

EPSS 0.0561
EPSS Percentile 92.0%

Details

CWE
CWE-79
Status published
Products (6)
apache/struts 2.0.6
apache/struts 2.0.8
apache/struts 2.0.9
apache/struts 2.0.11
apache/struts 2.1
org.apache.struts/struts2-core 2.0.0 - 2.0.11.1Maven
Published Apr 09, 2009
Tracked Since Feb 18, 2026