CVE-2008-6682: XSS
First published: Thu Apr 09 2009(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.struts:struts2-core | >=2.1.0<2.1.1 | 2.1.1 |
| maven/org.apache.struts:struts2-core | >=2.0.0<2.0.11.1 | 2.0.11.1 |
| Apache Struts 2 | =2.0.6 | |
| Apache Struts 2 | =2.0.8 | |
| Apache Struts 2 | =2.0.9 | |
| Apache Struts 2 | =2.0.11 | |
| Apache Struts 2 | =2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.html
- https://issues.apache.org/struts/browse/WW-2427
- http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html
- https://issues.apache.org/struts/browse/WW-2414
- http://www.securityfocus.com/bid/34686
- https://nvd.nist.gov/vuln/detail/CVE-2008-6682
- https://github.com/apache/struts/commit/09147ffad2b3046ed21af0f524c5088e2ac551e6
- https://github.com/apache/struts/commit/bd3f2f59c9b09f70aed3ebab6bb69b464ee2d6cb
- https://github.com/apache/struts/commit/dae026a0f0511f83852053bae9d5a622e7f80486
- https://web.archive.org/web/20080610075918/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.html
- https://web.archive.org/web/20080611112834/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html
- https://web.archive.org/web/20200229155553/http://www.securityfocus.com/bid/34686
- https://github.com/advisories/GHSA-jgcr-9c2q-rvp8 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2008-6682?
CVE-2008-6682 has a medium severity rating due to the presence of multiple cross-site scripting vulnerabilities.
How do I fix CVE-2008-6682?
To mitigate CVE-2008-6682, upgrade Apache Struts to version 2.0.11.1 or 2.1.1 or higher.
What versions of Apache Struts are affected by CVE-2008-6682?
CVE-2008-6682 affects Apache Struts versions 2.0.6, 2.0.8, 2.0.9, and all 2.1.x versions prior to 2.1.1.
What types of attacks can occur due to CVE-2008-6682?
CVE-2008-6682 allows remote attackers to perform cross-site scripting attacks through the improper handling of HTML and script injection.
Is there a public exploit available for CVE-2008-6682?
While specific exploits for CVE-2008-6682 may exist, they are typically not publicly disclosed to prevent abuse.
- agent/type
- agent/remedy
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jgcr-9c2q-rvp8
- alias/CVE-2008-6682
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-historical
- agent/softwarecombine
- package-manager/maven
- vendor/apache
- canonical/apache struts 2
- version/apache struts 2/2.0.6
- version/apache struts 2/2.0.8
- version/apache struts 2/2.0.9
- version/apache struts 2/2.0.11
- version/apache struts 2/2.1