Search for packages
| purl | pkg:maven/org.apache.tiles/tiles-core@2.1.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-eury-mu1z-w3bp
Aliases: CVE-2009-1275 GHSA-2c6q-rgvj-66rx |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags. |
Affected by 1 other vulnerability. |
|
VCID-jjre-tuhb-4yat
Aliases: CVE-2023-49735 GHSA-qw4h-3xjj-84cc |
Apache Tiles: Unvalidated input may lead to path traversal and XXE The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||