CVE-2009-1275 – org.apache.tiles:tiles-core

Package

Manager: maven
Name: org.apache.tiles:tiles-core
Vulnerable Version: >=2.1 <2.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01152 pctl0.77709

Details

Apache Tiles Vulnerable to XSS via EL Expression Injection Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) `tiles:putAttribute` and (2) `tiles:insertTemplate` JSP tags.

Metadata

Created: 2022-05-02T03:23:16Z
Modified: 2024-01-23T18:19:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2c6q-rgvj-66rx/GHSA-2c6q-rgvj-66rx.json
CWE IDs: ["CWE-87", "CWE-917"]
Alternative ID: GHSA-2c6q-rgvj-66rx
Finding: F004
Auto approve: 1