CVE-2006-1548

medium

Description

Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.

References

https://issues.apache.org/struts/browse/STR-2781

https://exchange.xforce.ibmcloud.com/vulnerabilities/25614

http://www.vupen.com/english/advisories/2006/1205

http://www.securityfocus.com/bid/17342

http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html

http://securitytracker.com/id?1015856

http://secunia.com/advisories/20117

http://secunia.com/advisories/19493

http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html

http://issues.apache.org/bugzilla/show_bug.cgi?id=38749

Details

Source: Mitre, NVD

Published: 2006-03-30

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.05012