CVE-2016-2162 — Cross-site Scripting in Apache Struts

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

1.2%

top 20.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts

Timeline

PublishedApr 12

Latest updateMay 17

Description

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDapache/struts56 versions+55

🔴Vulnerability Details

GHSA

Apache Struts XSS Vulnerability↗2022-05-17

▶

OSV

Apache Struts XSS Vulnerability↗2022-05-17

▶

CVEList

CVE-2016-2162: Apache Struts 2↗2016-04-12

▶

📋Vendor Advisories

Red Hat

struts2: unsanitized text in the Locale object constructed by I18NInterceptor↗2016-04-13

▶

💬Community

Bugzilla

CVE-2016-2162 struts2: unsanitized text in the Locale object constructed by I18NInterceptor↗2016-04-13

▶