CVE-2008-6682 Information
Description
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) \ (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.
Reference
http://www.nabble.com/Feedback3A-WW-24142C-XSS-attack-is-possible-if-using-3Cs3Aurl-…3E-and-3Cs3Aa-…3E-td14771449.html
http://www.nabble.com/Feedback3A-WW-24142C-XSS-attack-is-possible-if-using-3Cs3Aurl-…3E-and-3Cs3Aa-…3E-td14771449.html
http://www.nabble.com/Feedback3A-WW-24142C-XSS-attack-is-possible-if-using-3Cs3Aurl-…3E-and-3Cs3Aa-…3E-td14771449i20.html
http://www.nabble.com/Feedback3A-WW-24142C-XSS-attack-is-possible-if-using-3Cs3Aurl-…3E-and-3Cs3Aa-…3E-td14771449i20.html
http://www.securityfocus.com/bid/34686
https://issues.apache.org/struts/browse/WW-2414
https://issues.apache.org/struts/browse/WW-2427
Multiple
cross-site
scripting
(XSS)
vulnerabilities
in
Apache
Struts
2.0.x
before
2.0.11.1
and
2.1.x
before
2.1.1
allow
remote
attackers
to
inject
arbitrary
web
script
or
HTML
via
vectors
associated
with
improper
handling
of
(1)
(double
quote)
characters
in
the
href
attribute
of
an
s:a
tag
and
(2)
parameters
in
the
action
attribute
of
an
s:url
tag.