CVE-2009-1275
Apache Tiles Vulnerable to XSS via EL Expression Injection
EPSS 1.3%
Description
Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.
How to fix CVE-2009-1275
To remediate CVE-2009-1275, upgrade the affected package to a fixed version below.
- Debian/tiles—upgrade to 2.2.0-1 or later
- —upgrade to 2.1.2 or later
Is CVE-2009-1275 being exploited?
Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.2.0-1
- >= 2.1, < 2.1.2