GHSA-7JW3-5Q4W-89QG Improper Input Validation in Apache Struts

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service unexpected memory access via a multipart request, a related issue to CVE-2015-0899...

Improper Input Validation in Apache Struts

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service unexpected memory access via a multipart request, a related issue to CVE-2015-0899...

com.addc:addc-svr-struts12 (>=2.5 <=2.6.1), com.addc:addc-web-struts12 (>=2.5 <=2.6.1) +75 more potentially affected by CVE-2016-1182 via struts:struts (>=1.1 <=1.2.9)

struts:struts MAVEN version =1.1, =2.5, =2.5, =0.8-M1, =0.9.0, =5.0, =5.0, =4.0.3, =4.0.4 - nanocontainer:nanocontainer-nanowar-sample =1.0-RC-1 and more Source cves: CVE-2016-1182 Source advisory: OSV:GHSA-5GGR-MPGW-3MGX...

Improper Input Validation in Apache Struts

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting XSS attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899...

GHSA-5GGR-MPGW-3MGX Improper Input Validation in Apache Struts

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting XSS attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8) +131 more potentially affected by CVE-2013-2115 via org.apache.struts:struts2-core (>=2.0.11 <=2.3.14.1)

org.apache.struts:struts2-core MAVEN version =2.0.11, =2.0.0, =1.2.1, =1.2.0, =1.0.3, =0.6, =3.0, =5.0.1 - com.google.inject.extensions:guice-struts2-plugin =2.0 - com.google.inject.integration:guice-struts2-plugin =1.0 - com.googlecode.rapid-framework:rapid-core =4.0 and more Source cves:...

Code injection in Apache Struts

A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks. both the s:url and s:a tag provide an includeParams attribute. The main scope of that attribute is to understand whether includes...

GHSA-7GHM-RPC7-P7G5 Code injection in Apache Struts

A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks. both the s:url and s:a tag provide an includeParams attribute. The main scope of that attribute is to understand whether includes...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2) +62 more potentially affected by CVE-2010-1870 via org.apache.struts:struts2-core (>=2.0.5 <=2.1.8.1)

org.apache.struts:struts2-core MAVEN version =2.0.5, =1.2.1, =0.6, =2.1.0, =1.8.3, =2.1.0, =2.0.0, =2.3.1 - com.toolazydogs.shiro:shiro-struts2 =1.0 and more Source cves: CVE-2010-1870 Source advisory: OSV:GHSA-X5FC-PGPX-59J5...

Code injection in Apache Struts

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within...

GHSA-47QP-8V9G-39HP Code injection in Apache Struts

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within...

Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity

Summary IBM Sterling Order Management Apache Struts vulnerablity Vulnerability Details CVEID: CVE-2019-0233 DESCRIPTION: Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker...

Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity

Summary IBM Sterling Order Management Apache Struts vulnerablity Vulnerability Details CVEID:CVE-2020-17530 DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending...

VulnCheck KEV: CVE-2014-0112

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for...

VulnCheck KEV: CVE-2021-31805

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %... syntax. Using forced OGNL evaluation on untrusted user input can lead...

VulnCheck KEV: CVE-2014-0094

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method...

VulnCheck KEV: CVE-2014-0113

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists...

VulnCheck KEV: CVE-2014-0114

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute...

ca.stellardrift.guice-backport.extensions:guice-struts2 (=5.0.1), com.google.inject.extensions:guice-struts2 (>=3.0 <=5.0.1) +63 more potentially affected by CVE-2012-0393 via org.apache.struts.xwork:xwork-core (>=2.2.1 <=2.2.3)

org.apache.struts.xwork:xwork-core MAVEN version =2.2.1, =3.0, =2.4.0, =2.4.0, =3.0.0, =3.0.0, =2.4.0, =2.4.0, =2.4.0, =3.0.0, =2.0.0, =0.9.2, =0.9.0, =0.9.1 - io.forestframework:guice-struts2 =5.0.1.1 and more Source cves: CVE-2012-0393 Source advisory: OSV:GHSA-HXQQ-W4MR-MC62...

br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8), br.net.woodstock.rockframework:rockframework-web (>=1.2.4 <=3.0.1) +194 more potentially affected by CVE-2012-0394 via org.apache.struts.xwork:xwork-core (>=2.2.1 <=2.3.16.3)

org.apache.struts.xwork:xwork-core MAVEN version =2.2.1, =2.0.0, =1.2.4, =1.5.3, =1.5.3, =0.5.9, =1.2.0, =1.0.0, =2.0, =1.0.3, =1.2.2, =1.4.1, =3.0, =5.0.1 - com.googlecode.s2rome:struts2-rome-plugin =0.3 and more Source cves: CVE-2012-0394 Source advisory: OSV:GHSA-HMVJ-GC9Q-MG9P...