Vulnerabilities > Apache > Tiles
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-30 | CVE-2023-49735 | Path Traversal vulnerability in Apache Tiles 2.0 ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. | 7.5 |
| 2009-04-09 | CVE-2009-1275 | Cross-Site Scripting And Information Disclosure vulnerability in Apache Tiles 2.1.0/2.1.1 Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags. network apache | 6.8 |