Cross site scripting

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting XSS attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899...

CVE-2015-0899

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter...

CVE-2016-4433

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request...

Design/Logic Flaw

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service unexpected memory access via a multipart request, a related issue to CVE-2015-0899...

CVE-2015-0899

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter...

Information disclosure

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter...

Cross site request forgery (csrf)

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...

Default configuration

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method...

Cross site request forgery (csrf)

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request...

Design/Logic Flaw

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field...

CVE-2016-4430

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...

CVE-2016-1181

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service unexpected memory access via a multipart request, a related issue to CVE-2015-0899...

Design/Logic Flaw

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression...

CVE-2016-1181

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service unexpected memory access via a multipart request, a related issue to CVE-2015-0899...

CVE-2016-1182

CVE-2016-1182 is referenced in Jira issues JSWSERVER-26635/26636 and JSDSERVER-16462/16461, tying the vulnerability to ActionServlet.java in Apache Struts 1.x (1.3.10) with improper Validator configuration. Exploitation concerns remote code execution (RCE) and DoS, with CVSS scores around 8.x (RC...

CVE-2016-1182

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting XSS attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899...

CVE-2015-0899

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter...

CVE-2015-0899

CVE-2015-0899 affects Apache Struts 1.x (1.1–1.3.10) where the MultiPageValidator allows remote bypass of access restrictions via a modified page parameter. IBM advisories (IBM Library Support for Struts 1.3.16 remediation, and related IBM bulletins) confirm this family of vulnerabilities and lis...

CVE-2016-4465

CVE-2016-4465 affects Apache Struts 2, specifically the URLValidator. Versions 2.3.20–2.3.28.1 and 2.5.x before 2.5.1 are vulnerable to denial of service when a null value is submitted for a URL field, due to improper validation. The issue is caused by URLValidator handling flaws that allow an un...

CVE-2016-4430

CVE-2016-4430 affects Apache Struts 2.3.20–2.3.28.1, where token validation is mishandled, enabling remote CSRF attacks via unspecified vectors. Public sources in connected docs (IBM security advisories and the NVD entry) corroborate the CSRF impact and tie it to the same Struts versions. The vul...