Vulnerability Details : CVE-2008-2025

Exploit prediction scoring system (EPSS) score for CVE-2008-2025

CVSS scores for CVE-2008-2025

CWE ids for CVE-2008-2025

• CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
  Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2008-2025

• Red Hat 2009-10-20
  This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values. If user inputs need to be used as part of the tag attributes, the JSP page needs to perform filtering explicitly. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025

References for CVE-2008-2025

• http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
  [security-announce] SUSE Security Summary Report: SUSE-SR:2009:008 - openSUSE Security Announce - openSUSE Mailing Lists

  CVEs referencing this url
• https://launchpad.net/bugs/cve/2008-2025
  CVE-2008-2025
• http://download.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xml
  Resource is no longer available!

  Patch
• http://support.novell.com/security/cve/CVE-2008-2025.html
  CVE-2008-2025 Common Vulnerabilities and Exposures | SUSE
• https://bugzilla.novell.com/show_bug.cgi?id=385273
  Access Denied

Products affected by CVE-2008-2025

• Apache » Struts » Version: 1.2.7
  cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*

  Matching versions
  When used together with: Novell » Suse Linux » Version: 11 Enterprise Edition
  When used together with: Opensuse » Opensuse » Version: 10.3
  When used together with: Opensuse » Opensuse » Version: 11.0
  When used together with: Opensuse » Opensuse » Version: 11.1
• Apache » Struts » Version: 1.1
  cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*

  Matching versions
  When used together with: Novell » Suse Linux » Version: 11 Enterprise Edition
  When used together with: Opensuse » Opensuse » Version: 10.3
  When used together with: Opensuse » Opensuse » Version: 11.0
  When used together with: Opensuse » Opensuse » Version: 11.1
• Apache » Struts » Version: 1.2.8
  cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*

  Matching versions
  When used together with: Novell » Suse Linux » Version: 11 Enterprise Edition
  When used together with: Opensuse » Opensuse » Version: 10.3
  When used together with: Opensuse » Opensuse » Version: 11.0
  When used together with: Opensuse » Opensuse » Version: 11.1
• Apache » Struts » Version: 1.2.4
  cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*

  Matching versions
  When used together with: Novell » Suse Linux » Version: 11 Enterprise Edition
  When used together with: Opensuse » Opensuse » Version: 10.3
  When used together with: Opensuse » Opensuse » Version: 11.0
  When used together with: Opensuse » Opensuse » Version: 11.1
• Apache » Struts » Version: 1.0.2
  cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*

  Matching versions
  When used together with: Novell » Suse Linux » Version: 11 Enterprise Edition
  When used together with: Opensuse » Opensuse » Version: 10.3
  When used together with: Opensuse » Opensuse » Version: 11.0
  When used together with: Opensuse » Opensuse » Version: 11.1