CVE-2012-4386Cross-Site Request Forgery in Apache Struts

CWE-352Cross-Site Request Forgery5 documents5 sources
Severity
6.8MEDIUMNVD
EPSS
3.2%
top 12.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedSep 5
Latest updateMay 17

Description

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDapache/struts35 versions+34

🔴Vulnerability Details

3
OSV
Cross-Site Request Forgery in Apache Struts2022-05-17
GHSA
Cross-Site Request Forgery in Apache Struts2022-05-17
CVEList
CVE-2012-4386: The token check mechanism in Apache Struts 22012-09-05

💬Community

1
Bugzilla
CVE-2012-4386 struts2: CSRF protection bypass2012-09-03
CVE-2012-4386 — Cross-Site Request Forgery in Apache | cvebase