Apache Struts Multiple Open-Redirection Vulnerabilities

vendor:

Struts

by:

SecurityFocus

7,5

CVSS

HIGH

Open-Redirection

601

CWE

Product Name: Struts

Affected Version From: 2.0.0

Affected Version To: 2.3.15.1

Patch Exists: YES

Related CWE: N/A

CPE: 2.3:a:apache:struts:2.3.15.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

Apache Struts Multiple Open-Redirection Vulnerabilities

Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. An attacker can leverage these issues by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Mitigation:

Input validation should be used to prevent open-redirection attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/61196/info

Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.

An attacker can leverage these issues by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Apache Struts 2.0.0 prior to 2.3.15.1 are vulnerable. 

http://www.example.com/struts2-showcase/fileupload/upload.action?redirect:http://www.example.com/
http://www.example.com/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.example.com/%23