CVE-2008-2025
Description
Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Apache Struts on SUSE Linux due to insufficient parameter quoting allows remote attackers to inject arbitrary web script or HTML.
Vulnerability
The vulnerability is a cross-site scripting (XSS) flaw in Apache Struts versions prior to specific SUSE packages: before 1.2.9-162.31.1 on SLE 11, before 1.2.9-108.2 on openSUSE 10.3, before 1.2.9-198.2 on openSUSE 11.0, and before 1.2.9-162.163.2 on openSUSE 11.1 [4]. The issue stems from insufficient quoting of parameters, allowing injection of arbitrary web script or HTML [1][2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication, but user interaction is required (e.g., clicking a crafted link) [2]. The attack vector is network-based with medium complexity [4]. The exact vectors are unspecified, but the flaw involves improper handling of parameters in the Struts framework [1].
Impact
Successful exploitation leads to partial integrity impact, as the attacker can inject malicious script or HTML into the context of the affected application [2][4]. Confidentiality and availability are not directly affected, but the injected script can steal session cookies or perform actions on behalf of the user.
Mitigation
SUSE has released fixed packages: for SLE 11, version 1.2.9-162.37.1; for openSUSE 10.3, 1.2.9-108.2; for openSUSE 11.0, 1.2.9-198.2; for openSUSE 11.1, 1.2.9-162.163.2 [4]. The Secunia advisory initially listed the solution as unpatched [1], but SUSE later resolved the issue [4]. Users should update to the specified versions or apply the relevant SUSE security update SUSE-SR:2009:008 [4].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
struts:strutsMaven | < 1.2.9-162.31.1 | 1.2.9-162.31.1 |
Affected products
7cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*
- (no CPE)range: <=1.2.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- download.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xmlnvdPatchWEB
- github.com/advisories/GHSA-wcgx-2hvx-5cwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-2025ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.htmlnvdWEB
- support.novell.com/security/cve/CVE-2008-2025.htmlnvdWEB
- bugzilla.novell.com/show_bug.cginvdWEB
- launchpad.net/bugs/cve/2008-2025nvdWEB
- web.archive.org/web/20090410082732/http://secunia.com/advisories/34642ghsaWEB
- web.archive.org/web/20090411051126/http://secunia.com/advisories/34567ghsaWEB
- osvdb.org/53380nvd
- secunia.com/advisories/34567nvd
- secunia.com/advisories/34642nvd
News mentions
0No linked articles in our index yet.