CVE-2008-6504

CVE-2008-6504 affects OpenSymphony XWork (ParameterInterceptor) used in Apache Struts: OGNL refs to # context objects are not properly restricted, enabling remote OGNL evaluation and modification of server-side objects. Affected: XWork 2.0.x prior to 2.0.6 and 2.1.x prior to 2.1.2; vulnerability ...

CVE-2008-6505

CVE-2008-6505 affects Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3. The vulnerability is a directory traversal issue triggered by a encoded dot-dot-slash sequence in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x. Explo...

Apache Struts 2 < 2.0.12 / 2.1.3 Dispatcher Directory Traversal

The remote web server is using Apache Struts, a web application framework for developing Java EE web applications. The version of Apache Struts 2 installed on the remote host fails to properly decode and normalize the request path before serving static content. Using double-encoded directory...

Apache Struts 2 devMode Information Disclosure

The remote web server is using Apache Struts 2, a web application framework for developing Java EE web applications. The version of Apache Struts 2 installed on the remote host is configured to operate in development mode devMode. While this environment can help speed up development of web...

Update Protection against Apache Struts Security Bypass and Directory Traversal

A directory traversal vulnerability has been reported in Apache Struts. Apache Struts is a Java-based web application development framework. This vulnerability allows an attacker to access normally-inaccessible files and directories through a specially-created HTTP request, leading to potential...

Apache Struts Validator allows to bypass input data validation

Overview Apache Struts is a Web application framework from the Apache Software Foundation. Apache Struts contains a vulnerability allowing to bypass input data validation by the Validator. Impact Depending on the web application, an attacker may be able to manipulate unexpected operations by...

Input validation

Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language OGNL expression when altSyntax is enabled, which allows remote attackers to cause a denial of service infinite loop...

CVE-2007-4556

OpenSymphony XWork (used by WebWork and Apache Struts) before 1.2.3, and 2.x before 2.0.4, evaluates inputs as OGNL expressions when altSyntax is enabled. The underlying issue is recursive OGNL processing, which can lead to a denial of service (infinite loop) and, in some cases, remote code execu...

Apache Struts Error Response Cross-Site Scripting Vulnerability

Struts is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the...

security flaw

ActionForm in Apache Software Foundation ASF Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to...

struts bypass validation

Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check...

JVN#72225922 Apache Struts Validator allows to bypass input data validation

Impact Depending on the web application, an attacker may be able to manipulate unexpected operations by bypassing validation of input data. For example, unintended format data may be saved. Solution Products Affected Apache Struts 1.2.8 and earlier...

Multiple Apache Struts application server security vulnerabilities

Protection bypass, crossite scripting, DoS...

Input validation

Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check...

Cross site scripting

Cross-site scripting XSS vulnerability in 1 LookupDispatchAction and possibly 2 DispatchAction and 3 ActionDispatcher in Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting...

CVE-2006-1546

Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check...

CVE-2006-1548

Cross-site scripting XSS vulnerability in 1 LookupDispatchAction and possibly 2 DispatchAction and 3 ActionDispatcher in Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting...

CVE-2006-1547

CVE-2006-1547 affects Apache Struts 1.x before 1.2.9 when used with BeanUtils 1.7. The vulnerability arises from ActionForm handling a multipart/form-data form where a parameter name references getMultipartRequestHandler, granting access to elements in CommonsMultipartRequestHandler and BeanUtils...

CVE-2006-1547

ActionForm in Apache Software Foundation ASF Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to...

PT-2006-2547 · Apache · Apache Struts

Name of the Vulnerable Software and Affected Versions: Apache Software Foundation ASF Struts versions prior to 1.2.9 Description: The issue allows remote attackers to bypass validation by sending a request with a parameter org.apache.struts.taglib.html.Constants.CANCEL, causing the action to be...