OpenSymphony XWork vulnerable to improper input validation

XWork is an command-pattern framework that is used to power WebWork as well as other applications. Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language OGNL expression...

com.google.code.struts2webflow:struts2webflow-parent (=1.0.4), com.google.code.struts2webflow:struts2webflow-plugin (=1.0.4) +23 more potentially affected by CVE-2007-4556 via opensymphony:xwork (>=2.0.0 <=2.0.3)

opensymphony:xwork MAVEN version =2.0.0, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.5, =2.0.8 and more Source cves: CVE-2007-4556 Source advisory: OSV:GHSA-H7MF-QRM9-2848...

com.octo.captcha:jcaptcha-all (=1.0-RC-2.0.1), com.thesett:struts-tools (>=0.8-M1 <=0.9.117) +33 more potentially affected by CVE-2006-1548 via struts:struts (>=1.1 <=1.2.8)

struts:struts MAVEN version =1.1, =0.8-M1, =0.9.0, =1.0.0, =3.2, =3.2, =3.2, =3.2, =1.1.5, =1.0.3, =1.0.4 and more Source cves: CVE-2006-1548 Source advisory: OSV:GHSA-P3VW-FVWX-QCV5...

com.octo.captcha:jcaptcha-all (=1.0-RC-2.0.1), com.thesett:struts-tools (>=0.8-M1 <=0.9.117) +33 more potentially affected by CVE-2006-1546 via struts:struts (>=1.1 <=1.2.8)

struts:struts MAVEN version =1.1, =0.8-M1, =0.9.0, =1.0.0, =3.2, =3.2, =3.2, =3.2, =1.1.5, =1.0.3, =1.0.4 and more Source cves: CVE-2006-1546 Source advisory: OSV:GHSA-VF8G-MPMW-QV87...

Apache Struts vulnerable to Improper Input Validation

Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check...

Improper Input Validation in Apache Struts

ActionForm in Apache Software Foundation ASF Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to...

Cross-site scripting in Apache Struts

Cross-site scripting XSS vulnerability in 1 LookupDispatchAction and possibly 2 DispatchAction and 3 ActionDispatcher in Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting...

GHSA-VF8G-MPMW-QV87 Apache Struts vulnerable to Improper Input Validation

Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check...

com.octo.captcha:jcaptcha-all (=1.0-RC-2.0.1), com.thesett:struts-tools (>=0.8-M1 <=0.9.117) +33 more potentially affected by CVE-2006-1547 via struts:struts (>=1.1 <=1.2.8)

struts:struts MAVEN version =1.1, =0.8-M1, =0.9.0, =1.0.0, =3.2, =3.2, =3.2, =3.2, =1.1.5, =1.0.3, =1.0.4 and more Source cves: CVE-2006-1547 Source advisory: OSV:GHSA-7QWV-CWGJ-C8RJ...

GHSA-P3VW-FVWX-QCV5 Cross-site scripting in Apache Struts

Cross-site scripting XSS vulnerability in 1 LookupDispatchAction and possibly 2 DispatchAction and 3 ActionDispatcher in Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting...

GHSA-7QWV-CWGJ-C8RJ Improper Input Validation in Apache Struts

ActionForm in Apache Software Foundation ASF Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to...

GHSA-9CJH-QMVX-436C Apache Struts Cross-site scripting Vulnerability

Cross-site scripting XSS vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message...

Apache Struts Cross-site scripting Vulnerability

Cross-site scripting XSS vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message...

The vulnerability of the Apache Struts software framework arises from incorrect processing of Object Graph Navigation Language expressions, allowing attackers to execute arbitrary code.

The vulnerability of the Apache Struts software framework exists due to incorrect processing of expressions written in Object Graph Navigation Language. Exploiting this vulnerability allows a malicious actor to execute arbitrary code using a specially created request...

Apache Struts forced OGNL evaluation incomplete fix

Added: 04/26/2022 Background Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller MVC architecture. Struts uses Object-Graph Navigation Language OGNL to...

Apache Struts forced OGNL evaluation incomplete fix

Added: 04/26/2022 Background Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller MVC architecture. Struts uses Object-Graph Navigation Language OGNL to...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8) +298 more potentially affected by CVE-2012-1592 via org.apache.struts:struts2-core (>=2.0.11 <=2.5.20)

org.apache.struts:struts2-core MAVEN version =2.0.11, =2.0.0, =1.2.1, =1.5.3, =1.5.3, =1.2.2, =1.2.2, =1.2.2, =1.2.2, =1.2, =1.0, =1.0, =1.0, =1.0.4 and more Source cves: CVE-2012-1592 Source advisory: OSV:GHSA-8M5Q-CRQQ-6PMF...

Struts ParameterInterceptor vulnerability allows remote command execution

Regular expression in ParametersInterceptor matches top'foo' as a valid expression, which OGNL treats as top'foo'0 and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and hav...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8) +203 more potentially affected by CVE-2011-3923 via org.apache.struts:struts2-core (>=2.0.11 <=2.3.1.1)

org.apache.struts:struts2-core MAVEN version =2.0.11, =2.0.0, =1.2.1, =1.5.3, =1.5.3, =0.5.9, =1.2.0, =1.0.0, =2.0, =1.0.3, =1.2.2, =1.4.0 and more Source cves: CVE-2011-3923 Source advisory: OSV:GHSA-J68F-8H6P-9H5Q...

GHSA-J68F-8H6P-9H5Q Struts ParameterInterceptor vulnerability allows remote command execution

Regular expression in ParametersInterceptor matches top'foo' as a valid expression, which OGNL treats as top'foo'0 and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and hav...