CVE-2014-0094

CVE-2014-0094 affects Apache Struts where the ParametersInterceptor before 2.3.16.2 allows a crafted request to pass a class parameter to getClass(), enabling ClassLoader manipulation and remote code execution in vulnerable deployments. Public references note exploitation in versions prior to 2.3...

CVE-2014-0094

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method...

Apache Struts ClassLoader操作漏洞

CVE ID：CVE-2014-0094 Struts2 是第二代基于Model-View-Controller MVC模型的java企业级web应用框架。 该应用程序允许访问直接映射到“getClass（）”方法的“class”参数 ，这可以被利用来操纵所使用的应用程序服务器的ClassLoader。 0 Apache Struts 2.x 厂商补丁： Apache ----- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://struts.apache.org/release/2.3.x/docs/s2-020.html...

Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Apache Struts ClassLoader Manipulation Remote Code Execution', 'Description' = %q This module exploits a remote command executi...

Apache Struts Debugging Interceptor Remote Code Execution (CVE-2012-0394)

A remote code execution vulnerability exists in Apache Struts 2 web application framework. The vulnerability is due to insufficient input sanitization when running commands in "developer mode". A remote attacker can exploit this vulnerability by sending a crafted HTTP request to a vulnerable...

Apache Struts - Developer Mode OGNL Execution (Metasploit)

This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Apache Struts Developer Mode OGNL Execution', 'Description' = %q This module exploits a remote command execution vulnerability in...

Apache Struts Developer Mode OGNL Execution Exploit

This Metasploit module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java...

Apache Struts Developer Mode OGNL Execution

This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Apache Struts Developer Mode OGNL Execution', 'Description' = %q This module exploits a remote command execution vulnerability in...

Apache Struts 2 Developer Mode OGNL Execution

This module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This...

SOL14933 - Apache Struts vulnerability CVE-2013-2251

Recommended action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL15260: Apache Struts vulnerability...

[ANN] Struts 2.3.15.3 GA release available - security fix

The Apache Struts group is pleased to announce that Struts 2.3.15.3 is available as a "General Availability" release.The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed ...

struts2 latest s2-0 1 6 code execution vulnerability-vulnerability warning-the black bar safety net

Affected version: Struts 2.0.0 – Struts 2.3.15 Vulnerability description: The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target Expression. This mechanism was...

CVE-2013-6348

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to 1 actionNames.action and 2 showConfig.action in config-browser/...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to 1 actionNames.action and 2 showConfig.action in config-browser/...

CVE-2013-6348

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to 1 actionNames.action and 2 showConfig.action in config-browser/...

CVE-2013-6348

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to 1 actionNames.action and 2 showConfig.action in config-browser/...

Apache Struts 2.x <= 2.3.15.3 XSS Vulnerability

Apache Struts is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2013 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:struts...

Multiple Vulnerabilities in Cisco Identity Services Engine

Cisco Identity Services Engine ISE contains the following vulnerabilities: Cisco ISE Authenticated Arbitrary Command Execution Vulnerability Cisco ISE Support Information Download Authentication Bypass Vulnerability These vulnerabilities are independent of each other; a release that is affected b...

Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products

Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability. The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests...

Apache Fixes Information Disclosure Vuln in Shindig

The Apache Software Foundation released a new version of Shindig, a framework for Web applications yesterday, fixing what the collective has deemed an important information disclosure vulnerability. According to a post on Seclists.org by Ryan Baxter, an Apache Shindig committer, the problem affec...