Vulnerability Name:

CVE-2005-3745 (CCN-23173)

Assigned:2005-11-21
Published:2005-11-21
Updated:2020-12-08
Summary:Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Full-Disclosure Mailing List, Mon Nov 21 2005 - 10:17:46 CST
Security Advisory: Struts Error Message Cross Site Scripting

Source: MITRE
Type: CNA
CVE-2005-3745

Source: CCN
Type: RHSA-2006-0157
struts security update for Red Hat Application Server

Source: CCN
Type: RHSA-2006-0161
RHAPS security and enhancement update

Source: CCN
Type: SA17677
Struts Error Message Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: UNKNOWN
17677

Source: CCN
Type: SA18341
Red Hat Application Server Struts Error Message Cross-Site Scripting

Source: SECUNIA
Type: UNKNOWN
18341

Source: SREASON
Type: UNKNOWN
197

Source: CCN
Type: SECTRACK ID: 1015257
Struts Input Validation Hole in Error Message Permits Cross-Site Scripting Attacks

Source: SECTRACK
Type: UNKNOWN
1015257

Source: CCN
Type: Apache Struts Project Web page
Downloading Struts

Source: CCN
Type: ASA-2006-011
struts security update for Red Hat Application Server (RHSA-2006-0157)

Source: MISC
Type: Exploit, Patch, Vendor Advisory
http://www.hacktics.com/AdvStrutsNov05.html

Source: OSVDB
Type: UNKNOWN
21021

Source: CCN
Type: OSVDB ID: 21021
Apache Struts Error Message XSS

Source: REDHAT
Type: UNKNOWN
RHSA-2006:0157

Source: REDHAT
Type: UNKNOWN
RHSA-2006:0161

Source: BUGTRAQ
Type: UNKNOWN
20051121 Security Advisory: Struts Error Message Cross Site Scripting

Source: BID
Type: Exploit, Patch
15512

Source: CCN
Type: BID-15512
Apache Struts Error Response Cross-Site Scripting Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2005-2525

Source: XF
Type: UNKNOWN
struts-error-message-xss(23173)

Source: MLIST
Type: UNKNOWN
[struts-issues] 20201207 [jira] [Created] (WW-5105) Tracking the fix commit of CVE-2005-3745 and CVE-2018-1327

Source: MLIST
Type: UNKNOWN
[struts-issues] 20201207 [jira] [Updated] (WW-5105) Tracking the fix commit of CVE-2005-3745 and CVE-2018-1327

Source: CCN
Type: IBM Security Bulletin 6910171 (Integration Designer)
Multiple CVEs affect IBM Integration Designer

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:struts:1.2.7:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:struts:1.2.7:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/a:redhat:rhel_application_server:2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apache struts 1.2.7
    apache struts 1.2.7
    redhat linux advanced workstation 2.1
    redhat rhel application server 2
    ibm integration designer 20.0.0.2