CVE-2013-6348

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.

Published: Nov 2, 2013
Updated: May 9, 2024
CVE: CVE-2013-6348
GHSA: GHSA-3g8j-jj54-3vjg
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
apache / struts	2.3.15.3	2.3.15.3.x
org.apache.struts / struts2-core	-	2.3.16

http://en.wooyun.org/bugs/wooyun-2013-034?2592
http://osvdb.org/99047
http://osvdb.org/99048
http://packetstormsecurity.com/files/123805/Struts-2.3.15.3-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2013/Oct/244
http://www.securitytracker.com/id/1029266
https://issues.apache.org/jira/browse/WW-4213
https://security-tracker.debian.org/tracker/CVE-2013-6348
https://svn.apache.org/viewvc?view=revision&revision=1533354
https://ubuntu.com/security/CVE-2013-6348

Vulnerability Database

CVE-2013-6348

Deep Security Visibility Without the Complexity