CVE-2012-1006
Description
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts 2.0.14 and 2.2.3 are vulnerable to multiple reflected XSS via name, lastName, or clientName parameters.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in Apache Struts versions 2.0.14 and 2.2.3 [1][2]. The flaws are caused by improper validation of input supplied via the name and lastName parameters in the struts2-showcase/person/editPerson.action endpoint, and the clientName parameter in the struts2-rest-showcase/orders endpoint [1][3]. An attacker can inject arbitrary web script or HTML through these parameters [1].
Exploitation
A remote attacker can exploit these vulnerabilities without requiring authentication [2]. The attacker must craft a malicious URL containing JavaScript or HTML in the vulnerable parameter and trick a victim into visiting it, typically via a link or embedded content [3]. No special network position beyond standard HTTP access is needed; the attack vector is network-based via HTTP GET request [1][2].
Impact
Successful exploitation allows the attacker to inject arbitrary web script or HTML into the victim's browser [1]. This can lead to cookie-based authentication credential theft, session hijacking, or defacement of the page [3]. The impact is primarily confidentiality and integrity compromise within the context of the affected application and the user's session.
Mitigation
Apache Struts users should upgrade to a patched version beyond 2.2.3 as soon as possible; the vulnerable versions are 2.0.14 and 2.2.3 [2]. No workaround is mentioned in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of February 2025.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-parentMaven | < 2.1.2 | 2.1.2 |
org.apache.struts:struts2-parentMaven | >= 2.2, < 2.2.3.1 | 2.2.3.1 |
Affected products
4Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-cmpm-jg8r-fv37ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-1006ghsaADVISORY
- exchange.xforce.ibmcloud.com/vulnerabilities/72888nvdWEB
- web.archive.org/web/20120219225953/http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txtghsaWEB
- web.archive.org/web/20131013214245/http://secpod.org/blog/ghsaWEB
- web.archive.org/web/20200229131840/http://www.securityfocus.com/bid/51902ghsaWEB
- secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txtnvd
- secpod.org/blog/nvd
- www.securityfocus.com/bid/51902nvd
News mentions
0No linked articles in our index yet.