Details of VAR-201202-0281

ID

VAR-201202-0281

CVE

CVE-2012-1007

TITLE

Apache Struts Multiple Cross-Site Scripting Vulnerabilities

Trust: 1.2

sources: CNVD: CNVD-2012-9105 // CNNVD: CNNVD-201202-116

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do. (1) struts-examples/upload/upload-submit.do of name Parameters (2) struts-cookbook/processSimple.do of name Or message Parameters (3) struts-cookbook/processDyna.do of name Or message Parameters. Apache is a popular free open source web server that runs on a variety of Unix and Linux platforms and runs on Windows. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.52

sources: NVD: CVE-2012-1007 // JVNDB: JVNDB-2012-001329 // CNVD: CNVD-2012-9105 // BID: 51900 // VULMON: CVE-2012-1007

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2012-9105

AFFECTED PRODUCTS

vendor:	apache	model:	struts	scope:	eq	version:	1.3.10	Trust: 3.3
vendor:	oracle	model:	weblogic server	scope:	eq	version:	10.3.60	Trust: 0.3
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.2	Trust: 0.3
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.1	Trust: 0.3
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.0	Trust: 0.3
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.1.3.0	Trust: 0.3
vendor:	oracle	model:	retail returns management	scope:	eq	version:	14.1	Trust: 0.3
vendor:	oracle	model:	retail returns management	scope:	eq	version:	14.0	Trust: 0.3
vendor:	oracle	model:	retail returns management	scope:	eq	version:	13.4	Trust: 0.3
vendor:	oracle	model:	retail returns management	scope:	eq	version:	13.3	Trust: 0.3
vendor:	oracle	model:	retail returns management	scope:	eq	version:	13.2	Trust: 0.3
vendor:	oracle	model:	retail returns management	scope:	eq	version:	13.1	Trust: 0.3
vendor:	oracle	model:	retail returns management	scope:	eq	version:	13.0	Trust: 0.3

sources: CNVD: CNVD-2012-9105 // BID: 51900 // JVNDB: JVNDB-2012-001329 // CNNVD: CNNVD-201202-116 // NVD: CVE-2012-1007

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-1007
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2012-1007
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2012-9105
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201202-116
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2012-1007
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2012-1007
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2012-9105
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2012-9105 // VULMON: CVE-2012-1007 // JVNDB: JVNDB-2012-001329 // CNNVD: CNNVD-201202-116 // NVD: CVE-2012-1007

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2012-001329 // NVD: CVE-2012-1007

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-116

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201202-116

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001329

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2012-1007

PATCH

title:	Apache Struts	url:	http://struts.apache.org/	Trust: 0.8
title:	Oracle: Oracle Critical Patch Update Advisory - October 2018	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=81c63752a6f26433af2128b2e8c02385	Trust: 0.1
title:	Oracle: Oracle Critical Patch Update Advisory - October 2016	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=05aabe19d38058b7814ef5514aab4c0c	Trust: 0.1
title:	Oracle: Oracle Critical Patch Update Advisory - April 2017	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=143b3fb255063c81571469eaa3cf0a87	Trust: 0.1
title:	vulnerable-app	url:	https://github.com/pctF/vulnerable-app	Trust: 0.1

sources: VULMON: CVE-2012-1007 // JVNDB: JVNDB-2012-001329

EXTERNAL IDS

db:	NVD	id:	CVE-2012-1007	Trust: 3.4
db:	BID	id:	51900	Trust: 1.3
db:	JVNDB	id:	JVNDB-2012-001329	Trust: 0.8
db:	CNVD	id:	CNVD-2012-9105	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2355	Trust: 0.6
db:	CNNVD	id:	CNNVD-201202-116	Trust: 0.6
db:	VULMON	id:	CVE-2012-1007	Trust: 0.1

sources: CNVD: CNVD-2012-9105 // VULMON: CVE-2012-1007 // BID: 51900 // JVNDB: JVNDB-2012-001329 // CNNVD: CNNVD-201202-116 // NVD: CVE-2012-1007

REFERENCES

url:	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	Trust: 1.3
url:	http://secpod.org/blog/?p=450	Trust: 1.0
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/73052	Trust: 1.0
url:	http://www.securityfocus.com/bid/51900	Trust: 1.0
url:	http://secpod.org/advisories/secpod_apache_struts_multiple_parsistant_xss_vulns.txt	Trust: 1.0
url:	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1007	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-1007	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/search-results?query=cve-2012-1007	Trust: 0.6
url:	https://www-01.ibm.com/support/docview.wss?uid=ibm10795183	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2355/	Trust: 0.6
url:	http://struts.apache.org/	Trust: 0.3
url:	http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html	Trust: 0.3

sources: CNVD: CNVD-2012-9105 // BID: 51900 // JVNDB: JVNDB-2012-001329 // CNNVD: CNNVD-201202-116 // NVD: CVE-2012-1007

CREDITS

Antu Sanadi

Trust: 0.3

sources: BID: 51900

SOURCES

db:	CNVD	id:	CNVD-2012-9105
db:	VULMON	id:	CVE-2012-1007
db:	BID	id:	51900
db:	JVNDB	id:	JVNDB-2012-001329
db:	CNNVD	id:	CNNVD-201202-116
db:	NVD	id:	CVE-2012-1007

LAST UPDATE DATE

2024-11-23T20:35:24.323000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2012-9105	date:	2012-02-09T00:00:00
db:	VULMON	id:	CVE-2012-1007	date:	2018-10-17T00:00:00
db:	BID	id:	51900	date:	2017-05-02T01:11:00
db:	JVNDB	id:	JVNDB-2012-001329	date:	2012-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201202-116	date:	2019-07-01T00:00:00
db:	NVD	id:	CVE-2012-1007	date:	2024-11-21T01:36:11.047

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2012-9105	date:	2012-02-09T00:00:00
db:	VULMON	id:	CVE-2012-1007	date:	2012-02-07T00:00:00
db:	BID	id:	51900	date:	2012-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2012-001329	date:	2012-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201202-116	date:	2012-02-09T00:00:00
db:	NVD	id:	CVE-2012-1007	date:	2012-02-07T04:09:20.360