CVE-2011-1772

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.2.3 OpenSymphony WebWork (affected versions not specified)

Description The issue allows remote attackers to inject arbitrary web script or HTML via various vectors, including an action name, the action attribute of an s:submit element, or the method attribute of an s:submit element. This is possible due to the lack of escaping for action names in automatically generated error pages in XWork. When Dynamic Method Invocation (DMI) is enabled, the action name can be generated dynamically based on request parameters, allowing for a successful attack by calling non-existing pages and methods to produce error pages with injected code.

Recommendations For Apache Struts versions prior to 2.2.3, update to version 2.2.3 or later to resolve the issue. For OpenSymphony WebWork, at the moment, there is no information about a newer version that contains a fix for this vulnerability.