CWE-104

Struts: Form Bean Does Not Extend Validation Class

VariantDraftSimple

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

Common consequences2

OtherOther
Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.
ConfidentialityIntegrityAvailabilityOtherOther
Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Potential mitigations1

Implementation
Ensure that all forms extend one of the Validation Classes.

Relationships2

ChildOfCWE-573
ChildOfCWE-20

CVEs referencing this CWE

No CVEs reference this CWE yet

CWE assignments come from NVD/CNA assigners and OSS advisories. Some CWEs (Pillars, Composites) are abstract and rarely cited directly.