Bug 975281 - (CVE-2016-2162) VUL-0: CVE-2016-2162: struts: Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor
(CVE-2016-2162)
VUL-0: CVE-2016-2162: struts: Apache Struts 2.x before 2.3.25 does not saniti...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Tomáš Chvátal
Security Team bot
https://smash.suse.de/issue/167747/
CVSSv2:SUSE:CVE-2016-2162:6.4:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-13 08:22 UTC by Johannes Segitz
Modified: 2016-04-22 08:37 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-04-13 08:22:22 UTC
CVE-2016-2162

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object
constructed by I18NInterceptor, which might allow remote attackers to conduct
cross-site scripting (XSS) attacks via unspecified vectors involving language
display.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2162
http://www.securitytracker.com/id/1035272
http://struts.apache.org/docs/s2-030.html
Comment 3 Swamp Workflow Management 2016-04-13 22:00:24 UTC
bugbot adjusting priority
Comment 5 Johannes Segitz 2016-04-22 08:37:29 UTC
vulnerable code is not present