Published: 30/03/2006 Updated: 20/07/2017
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Apache Software Foundation (ASF) Struts prior to 1.2.9 allows remote malicious users to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.

Github Repositories

StrutsExample Block listed parameters: CVE-2006-1546 orgapachestrutstaglibhtmlCANCEL=true and orgapachestrutstaglibhtmlCANCELx -> If any of these parameters are present in request then we should need to log it and throw an exception CVE-2014-0114: If request parameter contains a reference to class as part of its name then log it and throw an exception B