[jira] [Updated] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-4507: -- Fix Version/s: (was: 2.3.x) 2.3.25 > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen >Assignee: Rene Gielen > Labels: struts2, vulnerability, xss > Fix For: 2.3.25, 2.5 > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rene Gielen updated WW-4507: Fix Version/s: 2.5 > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen >Assignee: Rene Gielen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x, 2.5 > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-4507: -- Fix Version/s: 2.3.x > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] brian neisen updated WW-4507: - Description: WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the tag. When loading a url in a browser with some param name, in this case "myinput", and the jsp being loaded has the tag , an alert message is popped open in the browser- which is WhiteHat's method of showing the vulnerability. Example url is: [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] (was: WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the tag. When loading a url in a browser with some param name, in this case "myinput", and the jsp being loaded has the tag , an alert message is popped open in the browser- which is WhiteHat's method of showing the vulnerability. Example url, enclosed in square brackets is: [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]) > Struts 2 XSS vulnerability with > - > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 >Reporter: brian neisen > Labels: struts2, vulnerability, xss > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag name="myinput" id="myinput">, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)