CVE-2016-1182

Cross-Site Scripting
Affects
Apache Struts
in
Struts
No items found.
Versions
>=1.0.0 <=1.3.10
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Cross-Site scripting (XSS) vulnerability (CVE-2016-1182) has been identified in Apache Struts, which allows attackers to access information and compromise accounts.

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

This issue versions >=1.0.0 <=1.3.10

Details

Module Info

  • Product: Apache Struts 1
  • Affected packages: struts-core
  • Affected versions: >=1.0.0 <=1.3.10
  • GitHub repository: https://github.com/apache/struts1
  • Package manager: Maven
  • Fixed in: NES for Struts Struts 1 v1.3.11

Vulnerability Info

Apache Struts 1.x versions up to and including 1.3.10 contain a vulnerability in ValidatorForm.java, which improperly handles multithreaded access to a ValidatorResult instance. This flaw allows remote attackers to modify validation rules or cause a denial of service (DoS). Specially crafted requests can exploit this vulnerability by using the same session to manipulate shared properties while earlier requests are still being processed.

Mitigation

Struts 1 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Struts 2

Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2016-1182
PROJECT Affected
Apache Struts
Versions Affected
>=1.0.0 <=1.3.10
Published date
February 1, 2024
≈ Fix date
February 1, 2024
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.