GHSA-CMPM-JG8R-FV37 Apache Struts Multiple Cross-site Scripting Vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the 1 name or 2 lastName parameter to struts2-showcase/person/editPerson.action, or the 3 clientName parameter to struts2-rest-showcase/orders...

Denial of service in Apache Struts

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service CPU consumption via a long parameter name, which is processed as an OGNL expression...

Cross-Site Request Forgery in Apache Struts

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery CSRF attacks by setting the token name configuration parameter to a session attribute...

GHSA-HRGC-54MV-58GV Denial of service in Apache Struts

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service CPU consumption via a long parameter name, which is processed as an OGNL expression...

GHSA-2RVH-Q539-Q33V Cross-Site Request Forgery in Apache Struts

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery CSRF attacks by setting the token name configuration parameter to a session attribute...

Incomplete exclude pattern in Apache Struts

The default exclude patterns excludeParams in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. In Struts 2.3.20.1 a better set of exlude patterns was defined...

GHSA-Q2CG-XF9P-H457 Incomplete exclude pattern in Apache Struts

The default exclude patterns excludeParams in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. In Struts 2.3.20.1 a better set of exlude patterns was defined...

Apache Struts CSRF Vulnerability

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...

GHSA-38QW-J787-V8C2 Apache Struts CSRF Vulnerability

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...

GHSA-CVVX-R33M-V7PQ Improper Input Validation in Apache Struts

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter...

Apache Struts vulnerable to possible DoS attack when using URLValidator

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL...

Apache Struts RCE Vulnerability

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling...

GHSA-86VQ-8QHC-5RQW Apache Struts vulnerable to possible DoS attack when using URLValidator

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL...

GHSA-GGMP-FXFG-277R Apache Struts RCE Vulnerability

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling...

GHSA-9CCM-G362-2R35 XWork in Apache Struts Reveals Sensitive Information

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....

XWork in Apache Struts Reveals Sensitive Information

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....

Cross-Site Request Forgery in Apache Struts

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism...

Withdrawn Advisory: Apache Struts XSS

Withdrawn Advisory This advisory has been withdrawn because it was deemed invalid. This link is maintained to preserve external references. Original Description Multiple cross-site scripting XSS vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML...

GHSA-9848-V244-962P Withdrawn Advisory: Apache Struts XSS

Withdrawn Advisory This advisory has been withdrawn because it was deemed invalid. This link is maintained to preserve external references. Original Description Multiple cross-site scripting XSS vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML...

Cross-site Scripting in Apache Struts

When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the 'Problem Report' screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script. It is generally not advisable to have debug mode switched on...