virus logo FortiClient Vulnerability

Apache Struts CVE-2011-1772 Cross Site Scripting Vulnerability

description-logoDescription

By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation (DMI) is enabled, the action name is generated dynamically base on request parameters. This allows to call non-existing page and method to produce error page with injected code as below

affected-products-logoAffected Applications

Apache Struts

CVE References

CVE-2011-1772

Other References

https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
ID 41597
Created Jan 17, 2020
Description
Updated		 Dec 14, 2023
Risk black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon
Coverage FortiClient
OS Linux
Vendor Apache
Patch manual
Application Apache Struts