Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-1772 — Cross-site Scripting in Apache Struts

CWE-79 — Cross-site Scripting CWE-200 — Sensitive Information Exposure10 documents7 sources

Severity

2.6LOWNVD

EPSS

59.2%

top 1.76%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Struts

Timeline

PublishedMay 13

Latest updateMay 17

Description

Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/struts28 versions+27

Patches

Patch: struts.apache.org ↗Patch: issues.apache.org ↗Patch: struts.apache.org ↗

🔴Vulnerability Details

OSV

Cross-site Scripting in Apache Struts↗2022-05-17

▶

GHSA

Cross-site Scripting in Apache Struts↗2022-05-17

▶

GHSA

XWork in Apache Struts Reveals Sensitive Information↗2022-05-14

▶

CVEList

CVE-2011-1772: Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2↗2011-05-13

▶

💥Exploits & PoCs

Exploit-DB

Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting↗2011-05-10

▶

📋Vendor Advisories

Red Hat

struts: Multiple XSS flaws in XWork↗2011-02-22

▶

Red Hat

struts: Allows remote attackers to obtain potentially sensitive information via vectors involving an s:submit element↗2011-02-22

▶

💬Community

Bugzilla

CVE-2011-1772 struts: Multiple XSS flaws in XWork↗2011-07-21

▶