header-logo
Suggest Exploit
vendor:
Apache Struts
by:
Unknown
9.8
CVSS
CRITICAL
Session Tampering
384
CWE
Product Name: Apache Struts
Affected Version From: 2.0.9
Affected Version To: 2.1.8.1
Patch Exists: YES
Related CWE: CVE-XXXX-XXXX
CPE: a:apache:struts
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Apache Struts Session Tampering Vulnerability

The Apache Struts framework is prone to a security-bypass vulnerability that allows attackers to tamper with sessions. By manipulating the 'session.somekey' parameter in the 'SomeAction.action' URL, attackers can bypass security restrictions and gain unauthorized access.

Mitigation:

To mitigate this vulnerability, users are advised to update to Apache Struts versions 2.0.10 or 2.1.8.2 or apply the necessary patches if available. Additionally, proper input validation and session management should be implemented.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/50940/info

Apache Struts is prone to a security-bypass vulnerability that allows session tampering.

Successful attacks will allow attackers to bypass security restrictions and gain unauthorized access.

Apache Struts versions 2.0.9 and 2.1.8.1 are vulnerable; other versions may also be affected. 

http://www.example.com/SomeAction.action?session.somekey=someValue

Navigation

Suggest Exploit

Services By CQR