Withdrawn Advisory: Apache Struts XSS

Description

Withdrawn Advisory

This advisory has been withdrawn because it was deemed invalid. This link is maintained to preserve external references.

Original Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2022-05-14 02:21:24 UTC
Updated
2026-05-14 13:03:56 UTC
GitHub reviewed
2022-11-03 21:09:51 UTC
NVD published
2012-02-06
Withdrawn
2026-05-14 13:03:54 UTC

EPSS Score

Score Percentile
23.02% 95.84%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • warkentyne (analyst)
  • urielcos (analyst)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.apache.struts:struts-core <= 1.3.10
maven struts:struts <= 1.3.10

References

cvelogic Threat Intelligence