CVE-2008-2025 — Apache Struts Cross-site Scripting vulnerability

Description

Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."

How to fix CVE-2008-2025

To remediate CVE-2008-2025, upgrade the affected package to a fixed version below.

Maven/struts:struts—upgrade to 1.2.9-162.31.1 or later

Is CVE-2008-2025 being exploited?

Low — EPSS is 3.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.9-162.31.1

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-2025
PATCHgithub.com/apache/struts
WEBdownload.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xml
WEBlists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html