490449 – dev-java/struts: Multiple XSS vulnerabilities (CVE-2013-6348)

Bug 490449 - dev-java/struts: Multiple XSS vulnerabilities (CVE-2013-6348)

Summary: dev-java/struts: Multiple XSS vulnerabilities (CVE-2013-6348)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-11-05 02:19 UTC by GLSAMaker/CVETool Bot
Modified:	2016-02-08 20:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2013-11-05 02:19:21 UTC

CVE-2013-6348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6348):
  Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts
  2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via
  the namespace parameter to (1) actionNames.action and (2) showConfig.action
  in config-browser/.

Comment 1 Yury German Gentoo Infrastructure

2013-11-05 12:49:16 UTC

Looks like addressed in 2.3.16 as part of upstream.
https://issues.apache.org/jira/browse/WW/fixforversion/12324546

Comment 2 Patrice Clement gentoo-dev

2016-02-07 11:10:00 UTC

This package has been removed, along with all the struts related ebuilds. See bug 540888.

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-08 20:11:56 UTC

GLSA Vote: No

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-08 20:12:37 UTC

Since no glsa for XSS, closing this