GHSA-RPJ9-R897-WC6Q Open redirect in Apache Struts

The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to...

com.github.a-pz:struts2-thymeleaf3-plugin (>=1.0.3-RELEASE <=1.0.5-RELEASE), com.jgeppert.struts2.bootstrap:struts2-bootstrap-plugin (=2.5.1) +73 more potentially affected by CVE-2016-4465 via org.apache.struts:struts2-core (>=2.5.1 <=2.5.12)

org.apache.struts:struts2-core MAVEN version =2.5.1, =1.0.3-RELEASE, =0.9.4, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.12 - org.apache.struts:struts2-java8-support-plugin =2.5.1 and more Source cves: CVE-2016-4465 Source advisory: OSV:GHSA-XG75-68X3-7P3Q...

GHSA-XG75-68X3-7P3Q Apache Struts vulnerable to possible DoS attack when using URLValidator

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.13 allows remote attackers to cause a denial of service via a null value for a URL field...

GHSA-VQ79-MGPX-2WX4 Apache Struts Access Control Redirect

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method...

GHSA-WM8W-QP2F-728Q Apache Struts Open Redirect

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request...

Apache Struts Access Control Redirect

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method...

Apache Struts Open Redirect

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request...

Apache Struts improper action name cleanup

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up...

Apache Struts vulnerable to possible DoS attack when using URLValidator

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.13 allows remote attackers to cause a denial of service via a null value for a URL field...

GHSA-XM92-V2MQ-842Q Apache Struts improper action name cleanup

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up...

br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2), info.kfgodel:bean2bean (>=1.1.5 <=1.1.6) +27 more potentially affected by CVE-2008-6504 via com.opensymphony:xwork (>=2.1.0 <=2.1.1)

com.opensymphony:xwork MAVEN version =2.1.0, =1.2.1, =1.1.5, =1.1.6 - net.sf.fastupload:fastupload-core =0.4.7 - org.apache.struts:struts2-apps =2.1.2 - org.apache.struts:struts2-blank =2.1.2 - org.apache.struts:struts2-codebehind-plugin =2.1.2 - org.apache.struts:struts2-config-browser-plugin...

com.github.yujiaao:jmesa (>=4.0.1 <=4.1.3), com.microsoft.azure:applicationinsights-web (>=0.9.2 <=2.4.0-BETA) +23 more potentially affected by CVE-2008-6504 via com.opensymphony:xwork (>=2.0.4 <=2.0.5)

com.opensymphony:xwork MAVEN version =2.0.4, =4.0.1, =0.9.2, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.11.2 and more Source cves: CVE-2008-6504 Source advisory: OSV:GHSA-WXW2-2MX5-C5QF...

Improper Input Validation in OpenSymphony XWork

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

GHSA-CMPM-JG8R-FV37 Apache Struts Multiple Cross-site Scripting Vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the 1 name or 2 lastName parameter to struts2-showcase/person/editPerson.action, or the 3 clientName parameter to struts2-rest-showcase/orders...

Apache Struts Multiple Cross-site Scripting Vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the 1 name or 2 lastName parameter to struts2-showcase/person/editPerson.action, or the 3 clientName parameter to struts2-rest-showcase/orders...

GHSA-2RVH-Q539-Q33V Cross-Site Request Forgery in Apache Struts

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery CSRF attacks by setting the token name configuration parameter to a session attribute...

GHSA-HRGC-54MV-58GV Denial of service in Apache Struts

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service CPU consumption via a long parameter name, which is processed as an OGNL expression...

br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8), br.net.woodstock.rockframework:rockframework-web (>=1.2.4 <=3.0.1) +259 more potentially affected by CVE-2012-4387 via org.apache.struts.xwork:xwork-core (>=2.2.1 <=2.3.4)

org.apache.struts.xwork:xwork-core MAVEN version =2.2.1, =2.0.0, =1.2.4, =1.5.3, =1.5.3, =1.2.2, =1.2.2, =1.2.2, =1.2.2, =0.5.9, =1.2.0, =1.2.3 - com.github.psyuhen:struts2-thymeleaf3-plugin =1.0.5.1-RELEASE and more Source cves: CVE-2012-4387 Source advisory: OSV:GHSA-HRGC-54MV-58GV...

Cross-Site Request Forgery in Apache Struts

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery CSRF attacks by setting the token name configuration parameter to a session attribute...

Denial of service in Apache Struts

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service CPU consumption via a long parameter name, which is processed as an OGNL expression...