Home > Vulnerability Database > CVE-2009-1275

Mend.io Vulnerability Database

CVE-2009-1275

Good to know:

Date: April 9, 2009

Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.

Language: Java

Severity Score

5.6

Related Resources (5)

Url: https://issues.apache.org/struts/browse/TILES-351

Url: http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913

Url: http://www.securityfocus.com/bid/34657

Url: https://nvd.nist.gov/vuln/detail/CVE-2009-1275

Url: https://www.mend.io/vulnerability-database/CVE-2009-1275

Severity Score

5.6

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-917

Improper Neutralization of Alternate XSS Syntax

CWE-87

Top Fix

Upgrade Version

Upgrade to version 2.1.2

Learn More

CVSS v3.1

Base Score:	5.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2009-1275

Good to know:

Date: April 9, 2009

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?