1986 matches found
Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135...
GHSA-VWHV-J36G-5RM8 Cross-site Scripting in Apache Struts
When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the 'Problem Report' screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script. It is generally not advisable to have debug mode switched on...
GHSA-GQQM-564F-VVXQ Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135...
GHSA-M3X6-9V6H-4G28 Cross-site Scripting in Apache Struts
Cross-site scripting XSS vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter...
Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "$" and "%" sequences, which causes the OGNL code to be evaluated twice...
Cross-site Scripting in Apache Struts
Cross-site scripting XSS vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter...
GHSA-PW8R-X2QM-3H5M Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "$" and "%" sequences, which causes the OGNL code to be evaluated twice...
GHSA-MWRX-HX6X-3HHV Apache Struts Code injection due to conversion error
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field...
Apache Struts Code injection due to conversion error
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field...
Apache Struts forced double OGNL evaluation
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785...
GHSA-864W-R5QJ-H6FJ Apache Struts forced double OGNL evaluation
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785...
ClassLoader manipulation in Apache Struts
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for...
GHSA-PRJV-JJ26-WF8H ClassLoader manipulation in Apache Struts
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for...
be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8) +180 more potentially affected by CVE-2014-0094 via org.apache.struts:struts2-core (>=2.0.11 <=2.3.16.1)
org.apache.struts:struts2-core MAVEN version =2.0.11, =2.0.0, =1.2.1, =1.5.3, =1.5.3, =1.2.0, =1.0.0, =1.0.3, =1.2.2, =1.4.1, =0.6, =0.7 and more Source cves: CVE-2014-0094 Source advisory: OSV:GHSA-VRWC-QJMW-5RJM...
ClassLoader manipulation in Apache Struts
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method...
Improper Control of Generation of Code in Apache Struts
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect...
Arbitrary code execution in Apache Struts
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the 1 URL or 2 A tag...
GHSA-3C5C-XRQ4-QHR8 ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists...
ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists...
GHSA-VRWC-QJMW-5RJM ClassLoader manipulation in Apache Struts
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method...