CVE-2012-1006
published 2012-02-07CVE-2012-1006: Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1)…
PriorityP335medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
58.48%
99.0th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandpersons%281%29.name=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&persons%281%29.lastName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&method%3Asave=Save+all+persons↗
- →Detect POST requests to struts2-showcase/person/editPerson.action with URL-encoded script tags in the 'name' or 'lastName' parameters (persistent/stored XSS vector). ↗
- →Detect POST requests to /struts2-rest-showcase/orders with URL-encoded script tags in the 'clientName' parameter (persistent/stored XSS vector). ↗
- →Detect POST requests to /struts-examples/upload/upload-submit.do?queryParam=Successful with script content in multipart form data (reflected XSS vector). ↗
- →Detect POST requests to /struts-cookbook/processSimple.do or /struts-cookbook/processDyna.do with URL-encoded script tags in the 'message' parameter (reflected XSS vector). ↗
- →Alert on HTTP requests containing the exploit-specific User-Agent strings 'struts2-showcase XSS-TEST', 'struts2-rest-showcase XSS-TEST', 'Struts-examples XSS-TEST', or 'Struts-cookbook XSS-TEST' as indicators of active exploitation attempts from this PoC. ↗
- →The vulnerability is persistent (stored) for Struts 2 showcase endpoints, meaning injected payloads are stored and served to subsequent users — prioritize inspection of stored data retrieval responses, not just POST requests. ↗
- ·The vulnerable endpoints are part of the Struts showcase/demo applications (struts2-showcase, struts2-rest-showcase, struts-examples, struts-cookbook), not the core framework itself. These should not be deployed in production environments. ↗
- ·No vendor fix was available at the time of advisory release; mitigation relies on not deploying the vulnerable showcase applications. ↗
- ·Red Hat products do not actively compile or ship Struts 2, but struts2-core JARs were inadvertently included in source packages for Fuse Service Works 6.0.0 and Single Sign On 7.3.0+. Customers building from source should scan and remove these JARs. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Struts Multiple Cross-site Scripting Vulnerabilities
osv·2022-05-17
CVE-2012-1006 [MEDIUM] Apache Struts Multiple Cross-site Scripting Vulnerabilities
Apache Struts Multiple Cross-site Scripting Vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to `struts2-showcase/person/editPerson.action`, or the (3) clientName parameter to `struts2-rest-showcase/orders`.
GHSA
Apache Struts Multiple Cross-site Scripting Vulnerabilities
ghsa·2022-05-17
CVE-2012-1006 [MEDIUM] CWE-79 Apache Struts Multiple Cross-site Scripting Vulnerabilities
Apache Struts Multiple Cross-site Scripting Vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to `struts2-showcase/person/editPerson.action`, or the (3) clientName parameter to `struts2-rest-showcase/orders`.
Red Hat
struts2: multiple XSS flaws
vendor_redhat·2012-02-01·CVSS 4.3
CVE-2012-1006 [MEDIUM] CWE-79 struts2: multiple XSS flaws
struts2: multiple XSS flaws
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of t
No detection rules found.
http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txthttp://secpod.org/blog/?p=450http://www.securityfocus.com/bid/51902https://exchange.xforce.ibmcloud.com/vulnerabilities/72888http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txthttp://secpod.org/blog/?p=450http://www.securityfocus.com/bid/51902https://exchange.xforce.ibmcloud.com/vulnerabilities/72888
2012-02-07
Published