K17588029: Apache Struts vulnerabilities CVE-2016-0785, CVE-2016-2162, CVE-2016-3081, CVE-2016-3082, and CVE-2016-4003

Security Advisory Description CVE-2016-0785 Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%" sequence in a tag attribute, aka forced double OGNL evaluation. CVE-2016-2162 Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object...

Security Bulletin: The IBM FlashSystem 840 and V840 product model number AE1 nodes are affected by vulnerabilities in Apache’s Struts library

Summary Security vulnerabilities have been discovered in Apache’s Struts library Vulnerability Details CVE-ID: CVE-2014-0112, CVE-2014-0094, & CVE-2014-0050 DESCRIPTION: FlashSystem 840 MTM 9840-AE1, and FlashSystem V840 MTMs 9846-AE1 and 9848-AE1 use the Apache Struts library. Struts is used onl...

Security Bulletin: A vulnerability in Struts affects the IBM FlashSystem models 840 and 900 (CVE-2015-5209)

Summary There is a vulnerability in Apache Struts to which the IBM® FlashSystem™ 840 and IBM FlashSystem 900 are susceptible. An exploit of this vulnerability could allow a remote attacker to gain unauthorized access to the system. Vulnerability Details CVEID: CVE-2015-5209 DESCRIPTION: Apache...

Security Bulletin: IBM FlashSystem 840 and IBM FlashSystem V840, -AE1 models nodes are affected by vulnerabilities in Apache’s Struts library (CVE-2014-7809)

Summary Apache Struts could potentially allow a remote attacker to bypass security restrictions, caused by predictable tokens. Vulnerability Details CVEID:CVE-2014-7809 DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by predictable tokens. By sendi...

Security Bulletin: Vulnerabilities in Apache Struts affect the IBM FlashSystem models 840 and 900 (CVE-2016-0785 CVE-2016-2162)

Summary Open Source Apache Struts vulnerabilities were disclosed in March 2016. Struts is used by IBM® FlashSystem™ 840 and IBM FlashSystem 900 in its Service Assistant GUI. Vulnerability Details CVEID: CVE-2016-0785 DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary co...

Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem 840 and 900

Summary There is a vulnerability in Apache Struts which the IBM FlashSystem™ 840 and 900 are susceptible. An exploit of that vulnerability CVE-2018-11776 could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system. Vulnerability Details CVEID...

Security Bulletin: Vulnerabilities in Apache Struts affect the IBM FlashSystem models 840 and 900

Summary There are vulnerabilities in Apache Struts to which the IBM® FlashSystem™ 840 and FlashSystem™ 900 are susceptible. An exploit of these vulnerabilities CVE-2016-4430, CVE-2016-4431, CVE-2016-4433, and CVE-2016-4436 could allow a remote attacker to perform a cross-site script attack, perfo...

Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900

Summary There is a vulnerability in Apache Struts to which the IBM® FlashSystem™ 840 and FlashSystem™ 900 is susceptible. An exploit of this vulnerability CVE-2017-5638 could allow a remote attacker to execute arbitrary code on the system Vulnerability Details CVEID: CVE-2017-5638 DESCRIPTION:...

SUSE CVE-2005-3745

Cross-site scripting XSS vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message...

SUSE CVE-2008-2025

Cross-site scripting XSS vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise SLE 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web scrip...

SUSE CVE-2011-2087

Multiple cross-site scripting XSS vulnerabilities in component handlers in the javatemplates aka Java Templates plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of...

SUSE CVE-2011-3923

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands...

SUSE CVE-2012-0391

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter...

SUSE CVE-2012-0394

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself...

SUSE CVE-2012-1007

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via 1 the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to 2 struts-cookbook/processSimple.do or 3...

SUSE CVE-2012-1592

A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files...

SUSE CVE-2013-2248

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the 1 redirect: or 2 redirectAction: prefix...

SUSE CVE-2013-2251

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted 1 action:, 2 redirect:, or 3 redirectAction: prefix...

SUSE CVE-2013-4316

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors...

SUSE CVE-2014-0112

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for...