CVE-2008-2025Cross-site Scripting in Apache Struts

CWE-79Cross-site ScriptingCWE-693Protection Mechanism FailureCWE-200Sensitive Information ExposureCWE-190Integer Overflow or WraparoundCWE-122Heap-based Buffer OverflowCWE-41Improper Resolution of Path EquivalenceCWE-73External Control of File Name or PathCWE-416Use After FreeCWE-191Integer Underflow (Wrap or Wraparound)CWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation21 documents10 sources
Severity
4.3MEDIUMNVD
EPSS
3.2%
top 12.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedApr 9
Latest updateApr 16

Description

Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/struts5 versions+4

Patches

Patch: download.opensuse.orgPatch: download.opensuse.org

🔴Vulnerability Details

3
OSV
Apache Struts Cross-site Scripting vulnerability2022-05-01
GHSA
Apache Struts Cross-site Scripting vulnerability2022-05-01
CVEList
CVE-2008-2025: Cross-site scripting (XSS) vulnerability in Apache Struts before 12009-04-09

📋Vendor Advisories

3
Red Hat
kernel: spufs: fix a leak in spufs_create_context()2025-04-16
Microsoft
MapUrlToZone Security Feature Bypass Vulnerability2025-01-14
Red Hat
struts: XSS vulnerability2009-04-06

🕵️Threat Intelligence

1
Tenable
Tenable updates plugin subscription model for Nessus Vulnerability Scanner2008-05-14

💬Community

1
Bugzilla
CVE-2008-2025 struts: XSS vulnerability2009-04-09
CVE-2008-2025 — Cross-site Scripting in Apache Struts | cvebase