CVE-2011-2087
Description
Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler.java.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts 2.x before 2.2.3 javatemplates plugin has multiple XSS flaws via arbitrary parameters to .action URIs.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in the javatemplates (Java Templates) plugin in Apache Struts 2.x versions prior to 2.2.3. The flaws are located in eight component handlers: FileHandler.java, HiddenHandler.java, PasswordHandler.java, RadioHandler.java, ResetHandler.java, SelectHandler.java, SubmitHandler.java, and TextFieldHandler.java. They arise from improper handling of value attributes, where user-supplied parameter values are rendered without proper escaping. The vulnerable code path is reachable when any .action URI is processed by the plugin, allowing arbitrary parameter values to be injected [1][3].
Exploitation
An attacker can exploit these vulnerabilities remotely without prior authentication. The attack vector is over HTTP or HTTPS, requiring no special network position other than standard web access. The attacker simply crafts a malicious parameter value containing JavaScript or HTML and submits it to a .action URI handled by the javatemplates plugin. The injected script is then reflected in the server's response, as the value is inserted into the generated HTML without sanitization [1][3].
Impact
Successful exploitation allows remote attackers to inject arbitrary web script or HTML into the victim's browser context. The impact is arbitrary script execution in the user's session, potentially leading to session hijacking, credential theft, or defacement. The confidentiality, integrity, and availability of the application can be compromised within the security context of the affected user [1].
Mitigation
The flaw was addressed in Apache Struts version 2.2.3, released on or before May 13, 2011 [4]. Users should upgrade to Struts 2.2.3 or later. The fix involved modifying the component handlers to properly escape value attributes when generating HTML, as shown in commits that remove the unescaped attribute handling [3]. There is no mention of this CVE in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the available references.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-parentMaven | < 2.2.3 | 2.2.3 |
Affected products
30cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*+ 28 more
- cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
- (no CPE)range: <2.2.3
Patches
11736b56db702WW-3597 - XSS vulnerability in javatemplates plugin (thanks Gareth Faires)
8 files changed · +10 −10
plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/FileHandler.java+1 −1 modified@@ -35,7 +35,7 @@ public void generate() throws IOException { a.addDefaultToEmpty("name", params.get("name")) .add("type", "file") .addIfExists("size", params.get("size")) - .addIfExists("value", params.get("nameValue"), false) + .addIfExists("value", params.get("nameValue")) .addIfTrue("disabled", params.get("disabled")) .addIfExists("accept", params.get("accept")) .addIfExists("tabindex", params.get("tabindex"))
plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/HiddenHandler.java+1 −1 modified@@ -34,7 +34,7 @@ public void generate() throws IOException { a.addDefaultToEmpty("name", params.get("name")) .add("type", "hidden") - .addIfExists("value", params.get("nameValue"), false) + .addIfExists("value", params.get("nameValue")) .addIfTrue("disabled", params.get("disabled")) .addIfExists("id", params.get("id")) .addIfExists("class", params.get("cssClass"))
plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/PasswordHandler.java+1 −1 modified@@ -34,7 +34,7 @@ public void generate() throws IOException { Boolean showPassword = (Boolean) params.get("showPassword"); if (showPassword != null && showPassword) - attrs.addIfExists("value", params.get("nameValue"), false); + attrs.addIfExists("value", params.get("nameValue")); attrs.addDefaultToEmpty("name", params.get("name")) .add("type", "password")
plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/RadioHandler.java+1 −1 modified@@ -79,7 +79,7 @@ public void generate() throws IOException { a.add("type", "radio") .addDefaultToEmpty("name", params.get("name")) .addIfTrue("checked", checked) - .addIfExists("value", itemKeyStr, false) + .addIfExists("value", itemKeyStr) .addIfTrue("disabled", params.get("disabled")) .addIfExists("tabindex", params.get("tabindex")) .addIfExists("id", id);
plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/ResetHandler.java+1 −1 modified@@ -37,7 +37,7 @@ public void generate() throws IOException { attrs.addDefaultToEmpty("name", params.get("name")) .add("type", "reset") - .addIfExists("value", params.get("nameValue"), false) + .addIfExists("value", params.get("nameValue")) .addIfExists("tabindex", params.get("tabindex")) .addIfExists("id", params.get("id")) .addIfExists("class", params.get("cssClass"))
plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/SelectHandler.java+1 −1 modified@@ -43,7 +43,7 @@ public void generate() throws IOException { a.addDefaultToEmpty("name", params.get("name")) .addIfExists("size", params.get("size")) - .addIfExists("value", value, false) + .addIfExists("value", value) .addIfTrue("disabled", params.get("disabled")) .addIfTrue("readonly", params.get("readonly")) .addIfTrue("multiple", params.get("multiple"))
plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/SubmitHandler.java+3 −3 modified@@ -38,7 +38,7 @@ public void generate() throws IOException { if ("button".equals(type)) { attrs.addIfExists("name", params.get("name")) .add("type", "submit") - .addIfExists("value", params.get("nameValue"), false) + .addIfExists("value", params.get("nameValue")) .addIfTrue("disabled", params.get("disabled")) .addIfExists("tabindex", params.get("tabindex")) .addIfExists("id", params.get("id")) @@ -47,7 +47,7 @@ public void generate() throws IOException { start("button", attrs); } else if ("image".equals(type)) { - attrs.addIfExists("src", params.get("src"), false) + attrs.addIfExists("src", params.get("src")) .add("type", "image") .addIfExists("alt", params.get("label")) .addIfExists("id", params.get("id")) @@ -57,7 +57,7 @@ public void generate() throws IOException { } else { attrs.addIfExists("name", params.get("name")) .add("type", "submit") - .addIfExists("value", params.get("nameValue"), false) + .addIfExists("value", params.get("nameValue")) .addIfTrue("disabled", params.get("disabled")) .addIfExists("tabindex", params.get("tabindex")) .addIfExists("id", params.get("id"))
plugins/javatemplates/src/main/java/org/apache/struts2/views/java/simple/TextFieldHandler.java+1 −1 modified@@ -36,7 +36,7 @@ public void generate() throws IOException { .addDefaultToEmpty("name", params.get("name")) .addIfExists("size", params.get("size")) .addIfExists("maxlength", params.get("maxlength")) - .addIfExists("value", params.get("nameValue"), false) + .addIfExists("value", params.get("nameValue")) .addIfTrue("disabled", params.get("disabled")) .addIfTrue("readonly", params.get("readonly")) .addIfExists("tabindex", params.get("tabindex"))
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- issues.apache.org/jira/browse/WW-3597nvdExploitWEB
- www.vupen.com/english/advisories/2011/1198nvdVendor Advisory
- github.com/advisories/GHSA-5pgj-r7c6-7c7wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-2087ghsaADVISORY
- struts.apache.org/2.2.3/docs/version-notes-223.htmlnvdWEB
- github.com/apache/struts/commit/1736b56db702c6639a6d5ae1146dba5a262e3344ghsaWEB
- issues.apache.org/jira/browse/WW-3608nvdWEB
News mentions
0No linked articles in our index yet.