Skip to content

Cross-Site Request Forgery in Apache Struts

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Dec 28, 2023

Package

maven org.apache.struts:struts2-core (Maven)

Affected versions

< 2.3.20

Patched versions

2.3.20

Description

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

References

Published by the National Vulnerability Database Dec 10, 2014
Published to the GitHub Advisory Database May 14, 2022
Reviewed Nov 3, 2022
Last updated Dec 28, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2014-7809

GHSA ID

GHSA-h4v9-jf2r-9h6m

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.