CVE-2011-2087

Apache Struts 2.x < 2.2.3 - Cross-Site Scripting via Java Templates Plugin Handlers

Title source: llm
STIX 2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler.java.

References (4)

Core 4
Core References
Exploit x_refsource_confirm
https://issues.apache.org/jira/browse/WW-3597
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/1198
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/WW-3608

Scores

EPSS 0.0613
EPSS Percentile 92.6%

Details

CWE
CWE-79
Status published
Products (29)
apache/struts 2.0.0
apache/struts 2.0.1
apache/struts 2.0.2
apache/struts 2.0.3
apache/struts 2.0.4
apache/struts 2.0.5
apache/struts 2.0.6
apache/struts 2.0.7
apache/struts 2.0.8
apache/struts 2.0.9
... and 19 more
Published May 13, 2011
Tracked Since Feb 18, 2026