NASLDB: Apache Struts struts-cookbook processSimple.do message Parameter XSS
General
ID: 60093
Name: Apache Struts struts-cookbook processSimple.do message Parameter XSS
Summary: Tries to exploit an XSS flaw in Struts-cookbook
Credits: Tenable Network Security, Inc.
Classification
Risk: –
CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Temporal Vector: CVSS2#E:F/RL:U/RC:ND
Port: 80
Family: CGI abuses : XSS
Type: Remote
Description
The remote web server hosts struts-cookbook, a demonstration
application for the Struts framework. Input passed via the ‘message’
parameter to the ‘processSimple.do’ page is not properly sanitized
before using it to generate dynamic HTML.
By tricking someone into clicking on a specially crafted link, an
attacker may be able exploit this to inject arbitrary HTML and script
code into a user’s browser to be executed within the security context
of the affected site.
Exploiting
Exploit Available: True
Exploitability Ease: Exploits are available
Sources
CVE: CVE-2012-1007
OSVDB: –
Bugtraq: –
scipID: –
Timeline
Vulnerability Disclosure: 2012/02/01
Patch Release: –
Plugin Release: 2012/07/23
Plugin
Version: 1.2
Filename: struts_cookbook_xss.nasl
Filesize: 5018 bytes
MD5 Hash: 1a5bf1b7a166bd9d3ad4d7b55e8991cf
Identification: –
Require Keys: –
Dependencies: "http_version.nasl"
Copyright: This script is Copyright© 2012 Tenable Network Security, Inc.
- Letzte Plugins
- USN-1611-1 : thunderbird vulnerabilities
- USN-1610-1 : linux vulnerability
- USN-1609-1 : linux-ti-omap4 vulnerability
- SuSE 10 Security Update : PostgreSQL
- RHSA-2012-1364: bind97
- RHSA-2012-1363: bind
- RHSA-2012-1362: thunderbird
- RHSA-2012-1361: xulrunner
- Mandriva Linux Security Advisory : graphicsmagick
- FreeBSD : phpMyAdmin — Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack