This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-006
Skip to end of metadata
Go to start of metadata


Multiple Cross-Site Scripting (XSS) in XWork generated error pages

Who should read this

All Struts 2 developers

Impact of vulnerability

Injection of malicious client side code

Maximum security rating



Developers should either upgrade to Struts 2.2.3 or apply the configuration changes described below

Affected Software

Struts 2.0.0 - Struts

Original JIRA Tickets



Dr. Marian Ventuneac, Genworth

CVE Identifier



By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation (DMI) is enabled, the action name is generated dynamically base on request parameters. This allows to call non-existing page and method to produce error page with injected code as below


A more detailed description is found in the referenced JIRA ticket.


As of Struts 2.2.3 the action names are escaped when automatically generated error pages are rendered.

When staying with earlier releases, developers should either

  • Disable DMI support in struts.xml
        <constant name="struts.enable.DynamicMethodInvocation" value="false" />


  • Define error page in struts.xml (as below)
        <result name="error">/error_page.jsp</result>
        <exception-mapping exception="java.lang.Exception" result="error"/>

You can obtain Struts 2.2.3 here.

  • No labels