NameCVE-2016-1182 in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[wheezy] - libstruts1.2-java <no-dsa> (basically fixed in CVE-2015-0899)
Two conditions must be met to exploit this vulnerability
condition one is already fixed in CVE-2015-0899, so everything is fine
condition two can be fixed by the following patch:
but as this completely deactivates multipart requests, this should not be generally applied

Search for package or bug name: Reporting problems