240 matches found
Apache Struts 2 ParametersInterceptor OGNL Command Injection
Added: 03/26/2012 CVE: CVE-2011-3923 BID: 51628 OSVDB: 78109 Background Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller MVC architecture. Problem...
Apache Struts 2 ParametersInterceptor OGNL Command Injection
Added: 03/26/2012 CVE: CVE-2011-3923 BID: 51628 OSVDB: 78109 Background Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller MVC architecture. Problem...
CVE-2012-0838
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field...
CVE-2012-0838
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field...
Design/Logic Flaw
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field...
CVE-2012-0838
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field...
Apache Struts 2 vulnerable to an arbitrary Java method execution
Overview Apache Struts 2 contains an arbitrary Java method execution vulnerability. Apache Struts 2 is a framework to create Java web applications. Apache Struts 2 contains an arbitrary Java method execution vulnerability due to improper conversion in OGNL expression if a non-string property is...
CVE-2012-1006
Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the 1 name or 2 lastName parameter to struts2-showcase/person/editPerson.action, or the 3 clientName parameter to struts2-rest-showcase/orders...
Apache Struts 2 ParameterInterceptor Class OGNL Expression Parsing Remote Command Execution
The remote web application appears to use Apache Struts 2, a web framework that uses XWork. Due to a flaw in the ParameterInterceptor class, user input is not properly sanitized, which allows a remote attacker to run arbitrary Java code on the remote host by sending a specially crafted HTTP...
Apache Struts 2.0.92.1.8 - Session Tampering Security Bypass
Apache Struts 2.0.92.1.8 - Session Tampering Security Bypass source: https://www.securityfocus.com/bid/50940/info Apache Struts is prone to a security-bypass vulnerability that allows session tampering. Successful attacks will allow attackers to bypass security restrictions and gain unauthorized...
Apache Struts 2, XWork, OpenSymphony WebWork Java Class Path Information Disclosure
Security Advisory: MVSA-11-007 http://www.ventuneac.net/security-advisories/MVSA-11-007 CVE: CVE-2011-2088 Vendors: Apache Software Foundation, OpenSymphony Products: Struts 2, XWork , WebWork Vulnerabilities: Java Class Path Information Disclosure Risk: Medium Attack Vector: From Remote...
CVE-2011-1772
Multiple cross-site scripting XSS vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving 1 an action name, 2 the action attribute of an s:submit element, or 3 t...
CVE-2011-2087
Multiple cross-site scripting XSS vulnerabilities in component handlers in the javatemplates aka Java Templates plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of...
CVE-2011-1772
CVE-2011-1772 is a cross-site scripting (XSS) vulnerability affecting Apache Struts 2.x (XWork) and OpenSymphony WebWork, with XWork error page generation failing to escape certain inputs. The issue arises from improper validation of user-supplied input when generating the action name for error p...
CVE-2011-2087
CVE-2011-2087 affects the javatemplates (Java Templates) plugin in Apache Struts 2.x prior to 2.2.3. The issue is multiple XSS vulnerabilities in eight component handlers (FileHandler.java, HiddenHandler.java, PasswordHandler.java, RadioHandler.java, ResetHandler.java, SelectHandler.java, SubmitH...
Apache Struts 2 Multiple Reflected XSS in XWork error pages
Security Advisory: MVSA-11-006 CVE: CVE-2011-1772 Vendor: Apache Software Foundation Product: Struts 2 Framework Vulnerabilities: Multiple Reflected XSS in XWork error pages Risk: High Attack Vector: From Remote Authentication: Not Required References: -...
Apache Struts 2 Cross Site Scripting
Security Advisory: MVSA-11-006 CVE: CVE-2011-1772 Vendor: Apache Software Foundation Product: Struts 2 Framework Vulnerabilities: Multiple Reflected XSS in XWork error pages Risk: High Attack Vector: From Remote Authentication: Not Required References: -...
CVE-2010-1870
The CVE-2010-1870 entry covers OGNL expression evaluation in XWork (Struts 2.0.0–2.1.8.1) with a permissive whitelist that allows remote modification of server-side context objects and bypass of the # protection via OGNL context variables (e.g., #context, #root, #this, etc.). Cisco advisory notes...
Apache Struts 2 s:a / s:url Tag href Element XSS
The web application on the remote host is affected by a cross-site scripting vulnerability due to a vulnerable version of Apache Struts 2 that fails to properly encode the parameters in the 's:a' and 's:url' tags. A remote attacker can exploit this by tricking a user into requesting a page with...
CVE-2008-6505
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f encoded dot dot slash in a URI with a /struts/ path, related to 1 FilterDispatcher in 2.0.x and 2 DefaultStaticContentLoader in 2.1...