cbcvebase.
CVE-2015-0899
published 2016-07-04

CVE-2015-0899: The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page…

PriorityP356high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
21.26%
97.3th percentile
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

Affected

25 ranges
VendorProductVersion rangeFixed in
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oraclebanking_platform
oracleportal

Detection & IOCsextracted from sources · hover to see the quote

otherApache.Struts.MPV.Input.Validation.Bypass
  • Detect HTTP POST requests where the 'page' parameter has been tampered with to a value lower than the expected field page number, bypassing MultiPageValidator input validation in Apache Struts 1.
  • Authentication is not required to exploit this vulnerability; monitor for unauthenticated POST requests manipulating the 'page' parameter in Struts 1 multi-page form submissions.
  • Successful exploitation can result in XSS payloads being stored and reflected via JSP files that directly reference form bean properties (e.g., username field); monitor for script tags in form field submissions.
  • ·The vulnerability exists in both ValidatorForm.java and DynaValidatorForm.java and will NOT be patched as Apache Struts 1 is End-Of-Life; detection/mitigation must be handled at the network/IPS layer.
  • ·The 'page' property value is read directly from the HTTP POST request; any application relying on client-supplied 'page' values for validator gating is vulnerable across Struts 1.1 through 1.3.10.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.