Miggo Logo

CVE-2007-6726: Apache Struts Dojo Plugin XSS Vulnerability

4.3

CVSS Score

Basic Information

EPSS Score
0.80221%
Published
5/1/2022
Updated
9/22/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-dojo-pluginmaven>= 0.4.1, <= 0.4.20.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly identifies xip_client.html and xip_server.html in the Dojo library's src/io/ directory as the attack vectors. While the exact function names are unspecified, these files are directly tied to cross-domain communication (XIP) and input handling. XSS vulnerabilities in this context typically stem from unescaped user input being rendered in the DOM. Given the files' roles in IO operations and the lack of patched sanitization in versions 0.4.1-0.4.2, the handlers within these files are confidently flagged as vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s in *ojo *.*.* *n* *.*.*, *s us** in *p**** Struts *n* ot**r pro*u*ts, *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* unsp**i*i** v**tors involvin* (*) `xip_*li*nt.*tml` *n* (*) `x

Reasoning

T** **visory *xpli*itly i**nti*i*s xip_*li*nt.*tml *n* xip_s*rv*r.*tml in t** *ojo li*r*ry's sr*/io/ *ir**tory *s t** *tt**k v**tors. W*il* t** *x**t *un*tion n*m*s *r* unsp**i*i**, t**s* *il*s *r* *ir**tly ti** to *ross-*om*in *ommuni**tion (XIP) *n