Red Hat Bugzilla – Bug 723827
CVE-2011-1772 struts: Multiple XSS flaws in XWork
Last modified: 2016-03-04 06:45:00 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1772 to the following vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1772 [2] http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html [3] http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html [4] http://www.ventuneac.net/security-advisories/MVSA-11-006 [5] http://struts.apache.org/2.2.3/docs/version-notes-223.html [6] http://struts.apache.org/2.x/docs/s2-006.html [7] https://issues.apache.org/jira/browse/WW-3579 [8] http://www.securityfocus.com/bid/47784 [9] http://www.vupen.com/english/advisories/2011/1198
Based on: [10] https://bugzilla.novell.com/show_bug.cgi?id=693976#c3 it's more than likely this flaw would not affect any of our Struts-1.x package version, shipped across different supported products. But we need to double-check, confirm and note this.
This issue only affects struts 2.x. Statement: Not vulnerable. This issue did not affect the versions of struts as shipped with Red Hat Enterprise Linux 5, Red Hat Network Satellite 5, JBoss Enterprise Web Server 1, JBoss Enterprise Application Platform 4, JBoss Enterprise Portal Platform 4 and JBoss Operations Network 2.