CVE-2012-1006

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.14 through 2.2.3

Description The issue allows remote attackers to inject arbitrary web script or HTML via the name or lastName parameter to "struts2-showcase/person/editPerson.action", or the clientName parameter to "struts2-rest-showcase/orders". This is due to the lack of protection measures for the web page structure, enabling an attacker to conduct a cross-site scripting (XSS) attack using a specially crafted URL.

Recommendations For Apache Struts versions 2.0.14 through 2.2.3, consider disabling access to the struts2-showcase/person/editPerson.action and struts2-rest-showcase/orders endpoints until a patch is available. Restrict the use of the name, lastName, and clientName parameters in these endpoints to minimize the risk of exploitation.