CVE-2015-2992
Description
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts before 2.3.20 is vulnerable to cross-site scripting (XSS) via direct access to JSP files, allowing arbitrary script execution.
Vulnerability
Overview
CVE-2015-2992 is a cross-site scripting (XSS) vulnerability in Apache Struts versions prior to 2.3.20. The root cause is that the framework does not prevent direct access to JSP files, which can be requested without going through a Struts action. This allows an attacker to inject malicious scripts into the response if the JSP file contains user-controlled input or is not properly sanitized [2].
Exploitation
An attacker can exploit this vulnerability by crafting a URL that directly accesses a JSP file on the server. No authentication is required, as the JSP file is served directly by the web container. The attack is successful when the user's browser processes the response without proper XSS filtering, leading to script execution in the user's session [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information. The impact is limited to scenarios where the XSS filter is disabled or bypassed, but it remains a significant risk for applications that expose JSP files directly [2].
Mitigation
The vulnerability is fixed in Apache Struts 2.3.20 and later. For applications that cannot upgrade immediately, the developer recommends placing all JSP files under the WEB-INF folder to prevent direct access, or adding a security constraint in web.xml to restrict direct JSP access [1]. These measures effectively eliminate the attack vector.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | < 2.3.20 | 2.3.20 |
Affected products
2- Apache Software Foundation/Apache Strutsv5Range: before 2.3.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-265r-pp83-gww7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-2992ghsaADVISORY
- jvn.jp/en/jp/JVN88408929/index.htmlghsax_refsource_MISCWEB
- jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000124.htmlghsax_refsource_MISCWEB
- www.securityfocus.com/bid/76624ghsax_refsource_MISCWEB
- cwiki.apache.org/confluence/display/WW/S2-025ghsaWEB
- cwiki.apache.org/confluence/display/WW/SecurityghsaWEB
- security.netapp.com/advisory/ntap-20200330-0001ghsaWEB
- security.netapp.com/advisory/ntap-20200330-0001/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.