By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2008-2025

Cross-Site Scripting
Affects
Apache Struts
<1.2.9
in
Struts
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Cross-site scripting (XSS) vulnerability (CVE-2008-2025) has been reported in Apache Struts, which allows attackers to inject arbitrary web script or HTML.

Per OWASP, Cross Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

This issue was reported affecting all versions of struts less than 1.2.9.

Details

Module Info

Vulnerability Info

This vulnerability was reported by Red Hat. The issue was subsequently opened by the Struts team. Niall Pemberton questioned whether this was truly a Struts vulnerability, arguing that the real problem stemmed from user-written JSP pages that re-render unfiltered input, not from the Struts framework itself. He expressed concerns that filtering could break existing applications where developers had already encoded input.

An official statement from Red Hat on the CVE reads:

“This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of untrusted user inputs used as HTML tag attribute names or values. If user inputs need to be used as part of tag attributes, the JSP page needs to perform filtering explicitly.”

It appears that a patch was added by Red Hat to their products. HeroDevs has implemented its own patch, which differs from the one described in the issue above. This custom patch aims to provide XSS protection without breaking behavior, should an application be configured insecurely.

Credit

  • Red Hat

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Upgrade to patched version 1.2.9

Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2008-2025
PROJECT Affected
Apache Struts
Versions Affected
<1.2.9
Published date
May 12, 2025
≈ Fix date
April 30, 2008
Fixed in
NES for Apache Struts
Severity
Low
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.