Moderate severityNVD Advisory· Published Apr 9, 2009· Updated Jun 16, 2026
CVE-2008-6682
CVE-2008-6682
Description
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.0.0, < 2.0.11.1 | 2.0.11.1 |
org.apache.struts:struts2-coreMaven | >= 2.1.0, < 2.1.1 | 2.1.1 |
Affected products
6Patches
Vulnerability mechanics
References
13- www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.htmlnvdPatch
- www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.htmlnvdPatch
- github.com/advisories/GHSA-jgcr-9c2q-rvp8ghsaADVISORY
- issues.apache.org/struts/browse/WW-2414nvdVendor AdvisoryWEB
- issues.apache.org/struts/browse/WW-2427nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2008-6682ghsaADVISORY
- github.com/apache/struts/commit/09147ffad2b3046ed21af0f524c5088e2ac551e6ghsaWEB
- github.com/apache/struts/commit/bd3f2f59c9b09f70aed3ebab6bb69b464ee2d6cbghsaWEB
- github.com/apache/struts/commit/dae026a0f0511f83852053bae9d5a622e7f80486ghsaWEB
- web.archive.org/web/20080610075918/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.htmlghsaWEB
- web.archive.org/web/20080611112834/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.htmlghsaWEB
- web.archive.org/web/20200229155553/http://www.securityfocus.com/bid/34686ghsaWEB
- www.securityfocus.com/bid/34686nvd
News mentions
0No linked articles in our index yet.