Cross-Site Request Forgery in Apache Struts

GHSA-2rvh-q539-q33v · CVE-2012-4386

Published May 17, 2022 · Modified Dec 7, 2024

Description

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2012-4386
WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/78182
WEB https://issues.apache.org/jira/browse/WW-3858
WEB http://struts.apache.org/2.x/docs/s2-010.html
WEB http://www.openwall.com/lists/oss-security/2012/09/01/4
WEB http://www.openwall.com/lists/oss-security/2012/09/01/5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes