{"id":"CVE-2016-1182","details":"ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.","aliases":["GHSA-5ggr-mpgw-3mgx"],"modified":"2026-04-16T06:22:28.014512663Z","published":"2016-07-04T22:59:02.880Z","references":[{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2016-1182"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91067"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180629-0006/"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"ADVISORY","url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91787"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036056"},{"type":"ADVISORY","url":"http://jvn.jp/en/jp/JVN65044642/index.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1343540"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"type":"FIX","url":"https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/struts1","events":[{"introduced":"0"},{"last_affected":"2f31da8d6315acf6f8e9bf44250345d1d9363f85"},{"introduced":"0"},{"last_affected":"934faaaf4ddbe38a30a62ae8fc7e58d2dba90ea2"},{"introduced":"0"},{"last_affected":"eb268ce7a2ebd58b1ca084ecca4682bcbc7cfcaf"},{"introduced":"0"},{"last_affected":"e5fc9a70d4d586a5215cc74cacfc327490f06caf"},{"introduced":"0"},{"last_affected":"373154027c65ff19595d954c07ab0e36e93e9c5b"},{"introduced":"0"},{"last_affected":"18034701406a19516c921c77c5014ec78e821be8"},{"introduced":"0"},{"last_affected":"d5e1453607684e48e24f51dd3febbf7ab0b5241c"},{"introduced":"0"},{"last_affected":"fac67d636cbf723cb3d756d1138429350de4a2ee"},{"introduced":"0"},{"last_affected":"6f05d0d49774a7dbab2903e5aee8a2a0d8f3cee8"},{"introduced":"0"},{"last_affected":"8afe64135d328af0ed6b4f44c28c9596cc678b2c"},{"introduced":"0"},{"last_affected":"413367e9ffa791a0225df784dce47e457febe56e"},{"introduced":"0"},{"last_affected":"e5b1aa84f9057ed10b031fcc5c1b63329e943e8a"},{"introduced":"0"},{"last_affected":"6d8a0611c2dc40080bf5bc436d09f7e264efe5d9"},{"introduced":"0"},{"last_affected":"96831d6a8b8e4e84a4d3ba39836daef3a7d525c9"},{"introduced":"0"},{"last_affected":"80320efbf7bc35d9e14c3caf4d262a2a198a7fe3"},{"introduced":"0"},{"last_affected":"99c6c7e4fb50a0e5c5b616e7590273d3e47f0596"},{"introduced":"0"},{"last_affected":"11c038edcbc39fc7dd33a9c4e153449dcd0e4ce6"},{"introduced":"0"},{"last_affected":"4826731bfd429307a0e19bb602cdaca2b5d31b16"},{"introduced":"0"},{"last_affected":"bdbf6120a767c1ce000390b2cf953eaf3dabd478"},{"introduced":"0"},{"last_affected":"b518964f836cc7e92bfc8a182a9b33fa1d8f0d37"},{"introduced":"0"},{"last_affected":"804ae5cf5ef8c7dac1d44ef7819ff35ad86a81a7"},{"introduced":"0"},{"last_affected":"69785ef41e6e62e7c7229ce3a82e4acbe175f7a1"},{"introduced":"0"},{"last_affected":"49dabf9f94b996d78577ef596ac324411c389f6b"},{"introduced":"0"},{"last_affected":"910e9dac28714ff2fbeeb361f0e52c14d6145b1b"},{"introduced":"0"},{"last_affected":"432ca08cb5f436f290ab3dcaa9267739cf8f6f89"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0"},{"introduced":"0"},{"last_affected":"1.0.1"},{"introduced":"0"},{"last_affected":"1.0.2"},{"introduced":"0"},{"last_affected":"1.1"},{"introduced":"0"},{"last_affected":"1.1-b1"},{"introduced":"0"},{"last_affected":"1.1-b2"},{"introduced":"0"},{"last_affected":"1.1-b3"},{"introduced":"0"},{"last_affected":"1.1-rc1"},{"introduced":"0"},{"last_affected":"1.1-rc2"},{"introduced":"0"},{"last_affected":"1.2.0"},{"introduced":"0"},{"last_affected":"1.2.1"},{"introduced":"0"},{"last_affected":"1.2.2"},{"introduced":"0"},{"last_affected":"1.2.3"},{"introduced":"0"},{"last_affected":"1.2.4"},{"introduced":"0"},{"last_affected":"1.2.5"},{"introduced":"0"},{"last_affected":"1.2.6"},{"introduced":"0"},{"last_affected":"1.2.7"},{"introduced":"0"},{"last_affected":"1.2.8"},{"introduced":"0"},{"last_affected":"1.2.9"},{"introduced":"0"},{"last_affected":"1.3.5"},{"introduced":"0"},{"last_affected":"1.3.6"},{"introduced":"0"},{"last_affected":"1.3.7"},{"introduced":"0"},{"last_affected":"1.3.8"},{"introduced":"0"},{"last_affected":"1.3.9"},{"introduced":"0"},{"last_affected":"1.3.10"}]}},{"type":"GIT","repo":"https://github.com/kawasima/struts1-forever","events":[{"introduced":"0"},{"fixed":"eda3a79907ed8fcb0387a0496d0cb14332f250e8"}]}],"versions":["STRUTS_1_0","STRUTS_1_0_B1","STRUTS_1_0_B2","STRUTS_1_1","STRUTS_1_1_B1","STRUTS_1_1_B2","STRUTS_1_1_B3","STRUTS_1_1_RC1","STRUTS_1_1_RC2","STRUTS_1_2_0","STRUTS_1_2_1","STRUTS_1_2_2","STRUTS_1_2_3","STRUTS_1_2_4","STRUTS_1_2_5","STRUTS_1_2_6","STRUTS_1_2_7","STRUTS_1_2_8","STRUTS_1_2_9","STRUTS_1_3_10","STRUTS_1_3_5","STRUTS_1_3_6","STRUTS_1_3_7","STRUTS_1_3_8","STRUTS_1_3_9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.0-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"1.0-beta3"}]}],"vanir_signatures":[{"target":{"file":"src/share/org/apache/struts/action/ActionServlet.java"},"id":"CVE-2016-1182-764707ed","digest":{"threshold":0.9,"line_hashes":["105683631592247336656902944296599776314","40981726263095459424735472524808111251","2862303786404748042128178646467853349","207811457015275234257908205684295616493","277441258005566005519449599142878175700","312030805473486047810321879232524257574","282885639057810389179926927882785283503","204003968012705145478634013621690649237","304135678579568505631571992824951596339","243801532632016926960935286584807912263","217952086855472955496748280862806822199","305835152997505964804853882214061065472","229000502007580529303393046443959208742","30950044751233646112604525648435103748","259790258951861695249469713590068846770","233806469193145712396754822240236768822","135017837667307501811633680627790578472","257915629249777109357690232717200368499","72090433207419475626824692099586187379","99361996744071112323855774539141373025","149986068576086754127419569682222825213","136573233982601750858815088475377704808","78929048846053596461475036927463911723","258880862603859572277040310730946367789","308953546970365236756095253658591166631","78232233485352958434019412894233927009","48192962668982626538339483583244948777","64207166715813736093283923163539143977","276937143968145029020682005467026873783","83311304532829486008134214003320990549","230473023252087587097637910274006300896","309891649199857882751962721816820094800","77828087490743293410210199591691997086","253655484813366289844608959980497130922","163919496591251264925710851458967823163","207431811514667770692319474526457444558","96744140631647954610835818087371790242","127303369594388276279524254994130425455","203236370221193438834646047220884227858","263253822658907603002033271460854479663","58025557969618660640075213532826563098","244644852332381914097874412335171371959"]},"source":"https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8","signature_type":"Line","signature_version":"v1","deprecated":false},{"digest":{"length":1210,"function_hash":"314656000574971036214094989453598472483"},"id":"CVE-2016-1182-9b3dfe6b","target":{"function":"initOther","file":"src/share/org/apache/struts/action/ActionServlet.java"},"source":"https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8","signature_type":"Function","signature_version":"v1","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-1182.json","vanir_signatures_modified":"2026-04-11T03:43:38Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"}]}