CVE-2016-2162: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 17, 2022 (updated July 31, 2023)

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

References

struts.apache.org/docs/s2-030.html
github.com/advisories/GHSA-2j4q-9fff-236j
nvd.nist.gov/vuln/detail/CVE-2016-2162
web.archive.org/web/20210123095722/http://www.securityfocus.com/bid/85070
web.archive.org/web/20210801130539/http://www.securitytracker.com/id/1035272

Detect and mitigate CVE-2016-2162 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →