Summary

Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags

Who should read this

All Struts 2 developers

Impact of vulnerability

Injection of malicious client side code

Maximum security rating

Important

Recommendation

Developers using Struts 2 tags should immediately upgrade to Struts 2.0.11.1

Affected Software

Struts 2.0.0 - Struts 2.0.11

Original JIRA Tickets

WW-2414,WW-2427

Problem

For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered. The following scenarios are known:

Solution

As of Struts 2.0.11.1

You can obtain Struts 2.0.11.1 as a drop in replacement for Struts 2.0.11 to get the fixed Struts 2 core library.