Apache Struts 2.5.x < 2.5.13 URLValidator Form Field Handling Remote DoS (S2-044)

The version of Apache Struts running on the remote host is 2.5.x prior to 2.5.13. It is, therefore, affected by a denial of service vulnerability in the URLValidator class due to improper handling of user-supplied input to the form field. An unauthenticated, remote attacker can exploit this, via ...

Debian Security Advisory DSA 3536-1 (libstruts1.2-java - security update)

It was discovered that libstruts1.2-java, a Java framework for MVC applications, contains a bug in its multi-page validation code. This allows input validation to be bypassed, even if MPV is not used directly. OpenVAS Vulnerability Test $Id: deb3536.nasl 6608 2017-07-07 12:05:05Z cfischer $...

DSA-3536-1 libstruts1.2-java - security update

Bulletin has no description...

JVN#88408929: Apache Struts vulnerable to cross-site scripting

Apache Struts provided by the Apache Software Foundation is a software framework for creating web applications in Java. Apache Struts is vulnerable to cross-site scripting when JSP files can be accessed directly. Impact An arbitrary script may be executed on the user's Internet Explorer when the...

Apache Struts 2.3.20 Incorrect Default Exclude Pattern (S2-024)

The remote web server is using Apache Struts version 2.3.20. It is, therefore, affected by an issue where the default exclude patterns are incorrect when using default settings. This allows a remote attacker to impact the internal application's state. Note that Nessus has not tested for this issu...

JVN#91502163: Direct Web Remoting (DWR) vulnerable to XML external entity injection

Direct Web Remoting DWR is a Java framework for developing Ajax into web applications. DWR contains an XML external entity injection vulnerability CWE-611. Impact When an application uses a function to convert DOM data DOMConverter, JDOMConverter, DOM4JConverter or XOMConverter and a specially...

[ANN] Struts 2.3.16.3 GA release available - security fix

The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a "General Availability" release.The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed ...

Apache Struts 2 OGNL Expression Handling Double Evaluation Error Remote Command Execution

The remote web application appears to use Struts 2, a web framework that utilizes OGNL Object-Graph Navigation Language as an expression language. Due to a flaw in the evaluation of an OGNL expression, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the...

RHEL 4 / 5 : jboss-seam2 (RHSA-2011:0950)

Updated jboss-seam2 packages that fix one security issue are now available for JBoss Enterprise Application Platform 4.3 for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System CVSS...

SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2

SEC Consult Vulnerability Lab Security Advisory 20120104-0 ======================================================================= title: Multiple critical vulnerabilities in Apache Struts2 product: Apache Struts2 OpenSymphony XWork OpenSymphony OGNL vulnerable version: 2.3.1 and below fixed...

Apache Struts 2 devMode Information Disclosure

The remote web server is using Apache Struts 2, a web application framework for developing Java EE web applications. The version of Apache Struts 2 installed on the remote host is configured to operate in development mode devMode. While this environment can help speed up development of web...