Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-1007 — Cross-site Scripting in Apache Struts

CWE-79 — Cross-site Scripting7 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

23.0%

top 4.08%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Struts

Timeline

PublishedFeb 7

Latest updateMay 14

Description

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/struts1.3.10

🔴Vulnerability Details

OSV

Apache Struts XSS↗2022-05-14

▶

GHSA

Apache Struts XSS↗2022-05-14

▶

CVEList

CVE-2012-1007: Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1↗2012-02-07

▶

💥Exploits & PoCs

Exploit-DB

Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities↗2012-02-02

▶

📋Vendor Advisories

Red Hat

struts: multiple XSS flaws↗2012-02-01

▶

💬Community

Bugzilla

CVE-2012-1007 struts: multiple XSS flaws↗2012-02-07

▶