org.apache.struts:struts2-apps (=2.3.28), org.apache.struts:struts2-assembly (=2.3.28) +39 more potentially affected by CVE-2016-3081 via org.apache.struts:struts2-core (=2.3.28)

org.apache.struts:struts2-core MAVEN version =2.3.28 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.struts:struts2-core and may be impacted: - org.apache.struts:struts2-apps =2.3.28 - org.apache.struts:struts2-assembly =2.3.28 -...

GHSA-MMJ6-CJJ4-HPR5 Apache Struts vulnerable to arbitrary remote code execution due to improper input validation

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! exclamation mark operator to the REST Plugin...

GHSA-HMHQ-382Q-MP56 ClassLoader manipulation in Apache Struts

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists...

GHSA-8C6J-FFMF-Q6VM Apache Struts RCE Vulnerability

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions...

Apache Struts RCE Vulnerability

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions...

ClassLoader manipulation in Apache Struts

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists...

Apache Struts vulnerable to arbitrary remote code execution due to improper input validation

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! exclamation mark operator to the REST Plugin...

com.amashchenko.struts2.actionflow:struts2-actionflow-plugin (=2.4.0), com.amashchenko.struts2.actionflow:struts2-actionflow-showcase (=2.4.0) +79 more potentially affected by CVE-2016-4438 via org.apache.struts:struts2-core (>=2.3.1.1 <=2.3.28.1)

org.apache.struts:struts2-core MAVEN version =2.3.1.1, =1.2.2, =1.2.2, =1.2.2, =1.2.2, =1.1.0, =1.1.0, =2.0.4 - com.jgeppert.struts2.jquery:struts2-jquery-chart-plugin =3.3.0 - com.jgeppert.struts2.jquery:struts2-jquery-grid-plugin =3.3.0 - com.jgeppert.struts2.jquery:struts2-jquery-mobile-plugin...

GHSA-4PRJ-VW9J-V6PR Arbitrary code execution in Apache Struts 2

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression...

org.apache.struts:struts2-assembly (>=2.3.1.1 <=2.3.28.1), org.apache.struts:struts2-rest-showcase (>=2.3.1.1 <=2.3.28.1) +2 more potentially affected by CVE-2016-4438 via org.apache.struts:struts2-rest-plugin (>=2.3.1.1 <=2.3.28.1)

org.apache.struts:struts2-rest-plugin MAVEN version =2.3.1.1, =2.3.1.1, =2.3.1.1, =1.0, =1.0.1 - org.meruvian.yama:yama-struts-core =1.0.1 Source cves: CVE-2016-4438 Source advisory: OSV:GHSA-4PRJ-VW9J-V6PR...

GHSA-44HV-JJX7-QFJG Path Traversal in Apache Struts

In Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. This vulnerability is only exploitable when using the Struts 2 Convention plugin in conjunction with Apache...

Arbitrary code execution in Apache Struts 2

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression...

Path Traversal in Apache Struts

In Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. This vulnerability is only exploitable when using the Struts 2 Convention plugin in conjunction with Apache...

com.jgeppert.struts2.bootstrap:struts2-bootstrap-plugin (>=2.0.2 <=2.0.4), com.jgeppert.struts2.bootstrap:struts2-bootstrap-showcase (>=2.0.2 <=2.0.4) +42 more potentially affected by CVE-2016-0785 via org.apache.struts:struts2-core (>=2.3.24 <=2.3.24.1)

org.apache.struts:struts2-core MAVEN version =2.3.24, =2.0.2, =2.0.2, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24, =2.3.24.1 and more Source cves: CVE-2016-0785 Source advisory: OSV:GHSA-876P-4WGC-75RX...

GHSA-876P-4WGC-75RX Apache Struts RCE Vulnerability

Apache Struts 2.x before 2.3.20.3, 2.3.24.3, and 2.3.28 allows remote attackers to execute arbitrary code via a % sequence in a tag attribute, aka forced double OGNL evaluation...

Apache Struts RCE Vulnerability

Apache Struts 2.x before 2.3.20.3, 2.3.24.3, and 2.3.28 allows remote attackers to execute arbitrary code via a % sequence in a tag attribute, aka forced double OGNL evaluation...

org.apache.struts:struts2-assembly (>=2.2.1 <=2.3.37), org.apache.struts:struts2-showcase (>=2.0.5 <=2.3.37) potentially affected by CVE-2017-9791 +1 more via org.apache.struts:struts2-struts1-plugin (>=2.0.5 <=2.3.37)

org.apache.struts:struts2-struts1-plugin MAVEN version =2.0.5, =2.2.1, =2.0.5, =2.3.37 Source cves: CVE-2017-9791, CVE-2017-9805 Source advisory: OSV:GHSA-29RM-6752-GVWV...

GHSA-29RM-6752-GVWV Code execution in Apache Struts 1 plugin

The Struts 1 plugin used with Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage...

Code execution in Apache Struts 1 plugin

The Struts 1 plugin used with Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage...

com.addc:addc-svr-struts12 (>=2.5 <=2.6.1), com.addc:addc-web-struts12 (>=2.5 <=2.6.1) +75 more potentially affected by CVE-2016-1181 via struts:struts (>=1.1 <=1.2.9)

struts:struts MAVEN version =1.1, =2.5, =2.5, =0.8-M1, =0.9.0, =5.0, =5.0, =4.0.3, =4.0.4 - nanocontainer:nanocontainer-nanowar-sample =1.0-RC-1 and more Source cves: CVE-2016-1181 Source advisory: OSV:GHSA-7JW3-5Q4W-89QG...