Immunity Canvas: STRUTSCODEINJECTION

Name| strutsCodeInjection ---|--- CVE| CVE-2012-0394 Exploit Pack| CANVAS Description| Struts Code Injector Notes| CVE Name: CVE-2012-0394 VENDOR: Apache Notes: CVE-2012-0394 - Struts = 2.2.1.1 ExceptionDelegator When an exception occurs while applying parameter values to properties, the value is...

Security feature bypass

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method...

Code injection

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter...

Design/Logic Flaw

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object...

CVE-2012-0391

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter...

CVE-2012-0392

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method...

CVE-2012-0393

CVE-2012-0393 concerns Apache Struts 2.x. The vulnerability lies in the ParameterInterceptor component not preventing access to public constructors, allowing a remote attacker to cause the creation of Java objects and thus “trigger” the creation or overwrite of arbitrary files via a crafted param...

CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object...

CVE-2012-0391

CVE-2012-0391 affects Apache Struts 2 before 2.2.3.1, where the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types, enabling remote code execution via a crafted parameter. Multiple sources (CVE entry, CISA KEV, GHSA advis...

CVE-2012-0391

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter...

CVE-2012-0392

CVE-2012-0392 affects Apache Struts: CookieInterceptor does not enforce a parameter-name whitelist, enabling remote code execution via a crafted HTTP Cookie header that can trigger Java code execution through a static method. The Nuclei template confirms this as part of the S2-008 family, describ...

CVE-2012-0394

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself...

CVE-2012-0394

CVE-2012-0394 affects Apache Struts 2.x, specifically the DebuggingInterceptor component when Developer Mode is enabled. The IBM security bulletin consolidates multiple Struts CVEs and states that the vulnerable code related to CVE-2012-0394 is not in use in Order Management, lowering risk; the a...

CVE-2012-0391

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. Recent assessments:...

PT-2012-2538 · Apache · Apache Struts

Name of the Vulnerable Software and Affected Versions: Apache Struts versions prior to 2.3.1.1 Description: The issue allows remote attackers to execute arbitrary commands via unspecified vectors when the DebuggingInterceptor component is used in developer mode. The vendor characterizes this...

Apache Struts远程命令执行和任意文件覆盖漏洞

Bugtraq ID: 51257 Apache Struts是一款建立Java web应用程序的开放源代码架构。 Apache Struts存在安全漏洞，允许攻击者利用漏洞执行任意命令或覆盖任意文件 -Apache Struts存在一个输入过滤错误，如果遇到转换错误可被利用注入和执行任意Java代码。 -当处理COOKIE名称过程中CookieInterceptor类没有正确限制对某些静态模式的访问，可被利用执行任意命令。 -部分未明输入在用于创建文件之前没有由ParameterInterceptor进行正确过滤，可被利用通过目录遍历攻击创建或覆盖任意文件。 0 Apache Stru...

Apache Struts vulnerable to cross-site scripting

Overview Apache Struts may create web applications that contain a cross-site scripting vulnerability. Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts may create web applications that contain a cross-site scripting...

JVN#25435092: Apache Struts vulnerable to cross-site scripting

Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts may create web applications that contain a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update t...

Apache Struts session tampering with the security restrictions bypass vulnerability-vulnerability warning-the black bar safety net

Release date: 2011-01-01 Update date: 2011-12-16 Affected system: The Apache Group Struts 2.1.8 .1 The Apache Group Struts 2.0.9 Description: -------------------------------------------------------------------------------- BUGTRAQ ID: 5 0 9 4 0 Apache Struts is a development of Java web...

Apache Struts会话篡改安全限制绕过漏洞

BUGTRAQ ID: 50940 Apache Struts是一款开发Java web应用程序的开源Web应用框架。 Apache Struts在实现上存在安全限制绕过漏洞，成功攻击可允许攻击者绕过安全限制获取非法访问权 Apache Struts 2.1.8 .1 Apache Struts 2.0.9 厂商补丁： Apache Group ------------ 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://httpd.apache.org/...