CVE-2006-1546Improper Input Validation in Apache Struts

CWE-20Improper Input Validation9 documents6 sources
Severity
7.5HIGHNVD
EPSS
1.6%
top 18.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedMar 30
Latest updateMay 1

Description

Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

NVDapache/struts1.2.8

🔴Vulnerability Details

3
OSV
Apache Struts vulnerable to Improper Input Validation2022-05-01
GHSA
Apache Struts vulnerable to Improper Input Validation2022-05-01
CVEList
CVE-2006-1546: Apache Software Foundation (ASF) Struts before 12006-03-30

📋Vendor Advisories

1
Red Hat
struts bypass validation2006-03-22

💬Community

4
Bugzilla
CVE-2006-1546 struts bypass validation2008-01-28
Bugzilla
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)2006-08-15
Bugzilla
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)2006-03-31
Bugzilla
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)2006-03-31
CVE-2006-1546 — Improper Input Validation in Apache | cvebase