CVE-2009-1275

EUVD-2022-1959
Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
Affected Products (NVD)
VendorProductVersion
apachetiles
2.1.0
apachetiles
2.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tiles
bookworm
3.0.7-5
fixed
bullseye
3.0.7-4
fixed
sid
3.0.7-5
fixed
trixie
3.0.7-5
fixed
References
http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913
http://www.securityfocus.com/bid/34657
https://issues.apache.org/struts/browse/TILES-351
http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913
http://www.securityfocus.com/bid/34657
https://issues.apache.org/struts/browse/TILES-351