Family CGI abuses : XSS
Nessus Plugin ID 38208 (struts_sa_surl_xss.nasl)
Bugtraq ID 34686
CVE ID CVE-2008-6682
The remote host is running a web application with multiple cross-site
The web application on the remote host is vulnerable to cross-site
scripting attacks. This is likely due to a vulnerable version of
Apache Struts that fails to properly encode the parameters in the
's:a' and 's:url' tags.
A remote attacker could exploit this by tricking a user into
requesting a page with arbitrary script code injected. This could
have consequences such as stolen authentication credentials.
See also :
Upgrade to Struts version 2.1.1 / 18.104.22.168 or later.
Risk factor :
Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.6
Public Exploit Available : true