Moderate severityNVD Advisory· Published May 13, 2011· Updated Apr 29, 2026
CVE-2011-2088
CVE-2011-2088
Description
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts.xwork:xwork-coreMaven | < 2.2.2 | 2.2.2 |
Affected products
4- cpe:2.3:a:opensymphony:webwork:-:*:*:*:*:*:*:*
cpe:2.3:a:opensymphony:xwork:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:opensymphony:xwork:-:*:*:*:*:*:*:*
- cpe:2.3:a:opensymphony:xwork:2.2.1:*:*:*:*:*:*:*
Patches
1885ab3459e14Solves WW-3579 - escapes actionName and methodName to prevent XSS vulnerability
1 file changed · +6 −6
xwork-core/src/main/java/com/opensymphony/xwork2/DefaultActionProxy.java+6 −6 modified@@ -23,12 +23,12 @@ import com.opensymphony.xwork2.util.logging.Logger; import com.opensymphony.xwork2.util.logging.LoggerFactory; import com.opensymphony.xwork2.util.profiling.UtilTimerStack; +import org.apache.commons.lang.StringEscapeUtils; +import org.apache.commons.lang.StringUtils; import java.io.Serializable; import java.util.Locale; -import org.apache.commons.lang.StringUtils; - /** * The Default ActionProxy implementation @@ -74,10 +74,10 @@ protected DefaultActionProxy(ActionInvocation inv, String namespace, String acti LOG.debug("Creating an DefaultActionProxy for namespace " + namespace + " and action name " + actionName); } - this.actionName = actionName; - this.namespace = namespace; - this.executeResult = executeResult; - this.method = methodName; + this.actionName = StringEscapeUtils.escapeHtml(actionName); + this.namespace = namespace; + this.executeResult = executeResult; + this.method = StringEscapeUtils.escapeJavaScript(StringEscapeUtils.escapeHtml(methodName)); } @Inject
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- issues.apache.org/jira/browse/WW-3579nvdPatchWEB
- github.com/advisories/GHSA-9ccm-g362-2r35ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-2088ghsaADVISORY
- secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.htmlnvdWEB
- github.com/apache/struts/commit/885ab3459e146ff830d1f7257f809f4a3dd4493aghsaWEB
- web.archive.org/web/20110726113612/http://www.ventuneac.net/security-advisories/MVSA-11-006ghsaWEB
- web.archive.org/web/20201207174744/http://www.securityfocus.com/archive/1/518066/100/0/threadedghsaWEB
- secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.htmlnvd
- www.securityfocus.com/archive/1/518066/100/0/threadednvd
- www.ventuneac.net/security-advisories/MVSA-11-006nvd
News mentions
0No linked articles in our index yet.