|Home > Security Bulletins > S2-030|
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible XSS vulnerability
Maximum security rating
Do not expose parts of
Struts 2.0.0 - Struts Struts 18.104.22.168
Paolo Perliti paolo dot perliti at miliaris dot it - Miliaris
The Apache Struts framework uses
I18NInterceptor to allow users and developers switch language used in the framework and an application built on top of it. The problem is that the interceptor doesn't perform any validation of the user input and accept arbitrary string which can be used by a developer to display language selected by the user. However, the framework doesn't expose the value directly in UI.
If you want present language selected by user based on
I18NInterceptor always escape the string before presenting it to the user. Alternatively upgrade to Struts 2.3.28.
No issues expected when upgrading to Struts 2.3.28.
When needed you can use StringEscapeUtils from the Apache Commons to escape the string.