CVE-2016-4003

CWE-79Cross-site Scripting (XSS)6 documents6 sources
Severity
6.1MEDIUM
EPSS
2.6%
top 14.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedApr 12
Latest updateMay 14

Description

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

Mavenorg.apache.struts:struts2-core2.0.02.3.28
NVDapache/struts2.0.02.3.24.1

🔴Vulnerability Details

3
GHSA
Cross-site Scripting in Apache Struts2022-05-14
OSV
Cross-site Scripting in Apache Struts2022-05-14
CVEList
CVE-2016-4003: Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 12016-04-12

📋Vendor Advisories

1
Red Hat
struts2: cross-site scripting vulnerability in the URLDecoder function2016-04-13

💬Community

1
Bugzilla
CVE-2016-4003 struts2: cross-site scripting vulnerability in the URLDecoder function2016-04-13
CVE-2016-4003 (MEDIUM CVSS 6.1) | Cross-site scripting (XSS) vulnerab | cvebase.io