Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

There are packages installed that are affected by a vulnerability referenced in the following CVE:

  - Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote
    attackers to bypass the CSRF protection mechanism. (CVE-2014-7809)

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host may be affected by a cross-site request forgery vulnerability due to the token generator failing to adequately randomize the token values. A remote attacker can exploit this by extracting a token from a form and then predicting the next token value that will be used to secure form submissions. By convincing a victim to visit a specially crafted form, the attacker can then use the predicted token value to force an action for a logged in user.

Note that this vulnerability can only be exploited when the <s:token/> tag is used within a form.

The remote web server is using a version of Struts 2 that is affected by multiple vulnerabilities :

  - A cross-site request forgery vulnerability exists due to     the token generator failing to adequately randomize the     token values. An attacker can exploit this issue by     extracting a token from a form and then predicting the     next token value that will be used to secure form     submissions. By convincing a victim to visit a specially     crafted form, the predicted token value can be used to     force an action for a logged in user. Note that this     vulnerability can only be exploited when the <s:token/>     tag is used within a form. (CVE-2014-7809)

  - A cross-site scripting vulnerability exists due to     improper validation of input passed via the 'Problem     Report' screen when using debug mode. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in the context of a user's browser session.
    (CVE-2015-5169)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
415472	SCA: security update for org.apache.struts:struts2-core (GHSA-h4v9-jf2r-9h6m)	Tenable Cloud Security	SCA Checks	medium
415472	SCA: security update for org.apache.struts:struts2-core (GHSA-h4v9-jf2r-9h6m)	Tenable Self-Hosted Container Security	SCA Checks	medium
83296	MySQL Enterprise Monitor 3.0.x < 3.0.19 Apache Struts Predictable Token XSRF	Nessus	CGI abuses	medium
83294	MySQL Enterprise Monitor < 2.3.20 Apache Struts Predictable Token XSRF	Nessus	CGI abuses	medium
79860	Apache Struts 2 Multiple Vulnerabilities (S2-023) (S2-025)	Nessus	Misc.	high

Detections

Analytics

CVE-2014-7809

medium

Tenable Plugins

medium

medium

medium

medium

high