Cross site request forgery (csrf)

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...

Design/Logic Flaw

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field...

CVE-2016-1181

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service unexpected memory access via a multipart request, a related issue to CVE-2015-0899...

Information disclosure

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter...

Design/Logic Flaw

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression...

Default configuration

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method...

CVE-2016-4433

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request...

CVE-2016-4433

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request...

CVE-2016-1181

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service unexpected memory access via a multipart request, a related issue to CVE-2015-0899...

CVE-2016-4465

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field...

CVE-2016-1181

CVE-2016-1181 affects Apache Struts 1.x (1.1–1.3.10) where ActionServlet.java mishandles multithreaded access to an ActionForm, allowing a remote attacker to execute arbitrary code or cause a denial of service via a multipart request (related to CVE-2015-0899). The NVD description explicitly ties...

CVE-2016-1182

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting XSS attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899...

CVE-2016-4430

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...

CVE-2015-0899

CVE-2015-0899 affects Apache Struts 1.x (1.1–1.3.10) where the MultiPageValidator allows remote bypass of access restrictions via a modified page parameter. IBM advisories (IBM Library Support for Struts 1.3.16 remediation, and related IBM bulletins) confirm this family of vulnerabilities and lis...

CVE-2016-4431

CVE-2016-4431 affects Apache Struts 2.2.3.20–2.3.28.1, allowing remote attackers to bypass access restrictions and perform redirection via the default action method. Multiple connected advisories identify this as an in-the-wild risk in various IBM FlashSystem products and related Struts deploymen...

CVE-2015-0899

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter...

CVE-2016-4438

CVE-2016-4438 affects Apache Struts 2 REST plugin. The REST plugin in Struts 2 versions 2.3.19 through 2.3.28.1 is vulnerable to remote code execution via a crafted OGNL expression due to improper handling of OGNL expressions. The vulnerability could allow an attacker to execute arbitrary code on...

CVE-2016-4431

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method...

CVE-2016-4438

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression...

CVE-2016-4433

CVE-2016-4433 affects Apache Struts 2.2.3.20–2.3.28.1, where a crafted request can bypass access restrictions and trigger redirection attacks. Multiple connected sources (NVD description; IBM advisories for Struts-related products) confirm the same affected range and attack pattern. The provided ...