VariantIncomplete

CWE-108Struts: Unvalidated Action Form

Category: other

Description

Every Action Form must have a corresponding validation form. If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator.

Common consequences· 2

  • Other — Other
    If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.
  • Confidentiality / Integrity / Availability / Other — Other
    Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Potential mitigations· 1

  • [Implementation]

References

  1. https://cwe.mitre.org/data/definitions/108.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Struts: Form Bean Does Not Extend Validation Class
CWE
Struts: Validator Without Form Field
CWE
Struts: Incomplete validate() Method Definition
CWE
Struts: Unused Validation Form
CWE
Struts: Plug-in Framework not in Use
CWE
Struts: Non-private Field in ActionForm Class
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.