GHSA-5PGJ-R7C6-7C7W Apache Struts Multiple XSS Vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in component handlers in the javatemplates aka Java Templates plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of...

Apache Struts Multiple XSS Vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in component handlers in the javatemplates aka Java Templates plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2) +76 more potentially affected by CVE-2011-1772 via org.apache.struts:struts2-core (>=2.0.5 <=2.2.1.1)

org.apache.struts:struts2-core MAVEN version =2.0.5, =1.2.1, =0.6, =3.0, =2.4.0, =2.1.0, =3.0.2 and more Source cves: CVE-2011-1772 Source advisory: OSV:GHSA-56F8-G68R-J699...

GHSA-56F8-G68R-J699 Cross-site Scripting in Apache Struts

Multiple Cross-Site Scripting XSS in XWork generated error pages in Apache Struts. By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation DMI is enabled, the action name is generated dynamically...

Cross-site Scripting in Apache Struts

Multiple Cross-Site Scripting XSS in XWork generated error pages in Apache Struts. By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation DMI is enabled, the action name is generated dynamically...

GHSA-3G8J-JJ54-3VJG Apache Struts is vulnerable to Cross-site Scripting

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to 1 actionNames.action and 2 showConfig.action in config-browser/...

Apache Struts is vulnerable to Cross-site Scripting

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to 1 actionNames.action and 2 showConfig.action in config-browser/...

GHSA-Q5Q8-JGHF-3PM3 Apache Struts2 Broken Access Control Vulnerability

The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms, under certain conditions this can be used to bypass security constraints. In Struts 2.3.15.3 the action mapping mechanism...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8) +216 more potentially affected by CVE-2016-2162 via org.apache.struts:struts2-core (>=2.0.11 <=2.3.24.3)

org.apache.struts:struts2-core MAVEN version =2.0.11, =2.0.0, =1.2.1, =1.5.3, =1.5.3, =1.2.2, =1.2.2, =1.2.2, =1.2.2, =0.5.9, =1.2.0, =1.0.0, =1.2.6 and more Source cves: CVE-2016-2162 Source advisory: OSV:GHSA-2J4Q-9FFF-236J...

GHSA-2J4Q-9FFF-236J Apache Struts XSS Vulnerability

Apache Struts 2.x before 2.3.28 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting XSS attacks via unspecified vectors involving language display...

Apache Struts XSS Vulnerability

Apache Struts 2.x before 2.3.28 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting XSS attacks via unspecified vectors involving language display...

GHSA-383P-XQXX-RRMP Denial of service in Apache Struts

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service block access to a web site via unspecified vectors...

GHSA-PVM9-288C-V5WQ Remote Code Execution in Apache Struts

XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code...

Denial of service in Apache Struts

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service block access to a web site via unspecified vectors...

Remote Code Execution in Apache Struts

XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8) +171 more potentially affected by CVE-2013-4316 via org.apache.struts:struts2-core (>=2.0.11 <=2.3.15.1)

org.apache.struts:struts2-core MAVEN version =2.0.11, =2.0.0, =1.2.1, =1.5.3, =1.5.3, =1.2.0, =1.0.3, =0.6, =3.0, =5.0.1 - com.google.inject.extensions:guice-struts2-plugin =2.0 and more Source cves: CVE-2013-4316 Source advisory: OSV:GHSA-J7H6-XR7G-M2C5...

org.apache.struts:struts2-assembly (>=2.2.1 <=2.3.15), org.apache.struts:struts2-rest-showcase (>=2.1.2 <=2.3.15.1) +3 more potentially affected by CVE-2013-4316 via org.apache.struts:struts2-rest-plugin (>=2.1.2 <=2.3.15.1)

org.apache.struts:struts2-rest-plugin MAVEN version =2.1.2, =2.2.1, =2.1.2, =2.0-RC2.3, =2.0-RC3 Source cves: CVE-2013-4316 Source advisory: OSV:GHSA-J7H6-XR7G-M2C5...

GHSA-J7H6-XR7G-M2C5 Code injection in Apache Struts

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors...

Code injection in Apache Struts

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors...

GHSA-RPJ9-R897-WC6Q Open redirect in Apache Struts

The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to...