CVE-2016-1182

HIGH

Apache Struts 1.x-1.3.10 - Cross-Site Scripting or Denial of Service via Validator Configuration

Title source: llm
STIX 2.1

Description

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

References (20)

Core 20
Core References
Third Party Advisory, VDB Entry, Vendor Advisory third-party-advisory x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097
Vendor Advisory third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN65044642/index.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036056
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91067
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91787
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180629-0006/
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1343540
Third Party Advisory x_refsource_confirm
https://security-tracker.debian.org/tracker/CVE-2016-1182

Scores

CVSS v3 8.2
EPSS 0.0322
EPSS Percentile 87.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Details

CWE
CWE-20
Status published
Products (22)
apache/struts 1.0 (4 CPE variants)
apache/struts 1.0.1
apache/struts 1.0.2
apache/struts 1.1 (6 CPE variants)
apache/struts 1.2.0
apache/struts 1.2.1
apache/struts 1.2.2
apache/struts 1.2.3
apache/struts 1.2.4
apache/struts 1.2.5
... and 12 more
Published Jul 04, 2016
Tracked Since Feb 18, 2026