CVE-2025-68493 impact on Bamboo

h3. Issue Summary Impact of CVE-2025-68493 in Bamboo https://cwiki.apache.org/confluence/display/WW/S2-069 Parsing of XML configuration in XWork component does not validate XML in proper way and it's vulnerable to XML external entity XXE injection. h3. Steps to Reproduce ||Impact of...

Apache Struts 2.x <= 2.3.37 / 2.5.x <= 2.5.33 / 6.x < 6.1.1 XML External Entity Injection in XWork (S2-069)

The version of Apache Struts installed on the remote host is 2.0.0 through 2.3.37, 2.5.0 through 2.5.33, or 6.x prior to 6.1.1. It is, therefore, affected by an XML external entity injection XXE vulnerability in the XWork component: - Missing XML Validation vulnerability in Apache Struts, Apache...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2) +58 more potentially affected by CVE-2025-68493 via com.opensymphony:xwork (>=2.0.4 <=2.1.3)

com.opensymphony:xwork MAVEN version =2.0.4, =1.2.1, =4.0.1, =0.9.2, =1.1.5, =1.3.3, =1.3.1, =2.0.5-incubating, =2.0.9, =2.0.11, =2.0.9, =2.0.9, =2.0.9, =2.1.6 - org.apache.struts:struts2-convention-plugin =2.1.6 and more Source cves: CVE-2025-68493 Source advisory: OSV:GHSA-QCFC-HMRC-59X7...

br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8), br.net.woodstock.rockframework:rockframework-web (>=1.2.4 <=3.0.1) +272 more potentially affected by CVE-2025-68493 via org.apache.struts.xwork:xwork-core (>=2.2.1 <=2.3.8)

org.apache.struts.xwork:xwork-core MAVEN version =2.2.1, =2.0.0, =1.2.4, =1.5.3, =1.5.3, =1.2.2, =1.2.2, =1.2.2, =1.2.2, =1.0, =1.0, =1.0, =1.0, =2.0.0, =2.2.1 and more Source cves: CVE-2025-68493 Source advisory: OSV:GHSA-QCFC-HMRC-59X7...

CVE-2025-68493 Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue...

CVE-2025-68493 Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue...

CVE-2025-68493

CVE-2025-68493 describes a Missing XML Validation vulnerability in Apache Struts (affecting 2.0.0–2.2.1, 2.2.1–6.1.0; fixed in 6.1.1). A connected exploit resource provides a PoC targeting the XXE weakness in XWork, including a read-file payload (e.g., /etc/passwd) via the vulnerable XML parsing ...

PT-2026-1915

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 6.1.0 Description The issue is a missing XML validation check in Apache Struts, allowing for XML External Entity XXE attacks. This flaw resides in the XWork component and can be exploited by attackers to re...

EUVD-2022-4099

Malicious code in bioql PyPI...

cn.sinapp.meutils:me-utils (=1.0), com.gnizr:gnizr-robot (=2.4.0-M4) +40 more potentially affected by CVE-2023-39022 via opensymphony:oscore (>=2.2.4 <=2.2.6)

opensymphony:oscore MAVEN version =2.2.4, =2.0, =2.1.5, =1.1.1, =1.1.3, =1.2, =1.2.3 and more Source cves: CVE-2023-39022 Source advisory: OSV:GHSA-859M-2PFX-FWHF...

SUSE CVE-2011-2088

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....

Cross-site Scripting in Apache Struts

Multiple Cross-Site Scripting XSS in XWork generated error pages in Apache Struts. By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation DMI is enabled, the action name is generated dynamically...

GHSA-56F8-G68R-J699 Cross-site Scripting in Apache Struts

Multiple Cross-Site Scripting XSS in XWork generated error pages in Apache Struts. By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation DMI is enabled, the action name is generated dynamically...

GHSA-WXW2-2MX5-C5QF Improper Input Validation in OpenSymphony XWork

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

Improper Input Validation in OpenSymphony XWork

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict pound sign references to context objects, which allows remote attackers to execute Object-Graph Navigation Language OGNL statements and...

br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2), info.kfgodel:bean2bean (>=1.1.5 <=1.1.6) +27 more potentially affected by CVE-2008-6504 via com.opensymphony:xwork (>=2.1.0 <=2.1.1)

com.opensymphony:xwork MAVEN version =2.1.0, =1.2.1, =1.1.5, =1.1.6 - net.sf.fastupload:fastupload-core =0.4.7 - org.apache.struts:struts2-apps =2.1.2 - org.apache.struts:struts2-blank =2.1.2 - org.apache.struts:struts2-codebehind-plugin =2.1.2 - org.apache.struts:struts2-config-browser-plugin...

com.github.yujiaao:jmesa (>=4.0.1 <=4.1.3), com.microsoft.azure:applicationinsights-web (>=0.9.2 <=2.4.0-BETA) +23 more potentially affected by CVE-2008-6504 via com.opensymphony:xwork (>=2.0.4 <=2.0.5)

com.opensymphony:xwork MAVEN version =2.0.4, =4.0.1, =0.9.2, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.9, =2.0.11.2 and more Source cves: CVE-2008-6504 Source advisory: OSV:GHSA-WXW2-2MX5-C5QF...

br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8), br.net.woodstock.rockframework:rockframework-web (>=1.2.4 <=3.0.1) +259 more potentially affected by CVE-2012-4387 via org.apache.struts.xwork:xwork-core (>=2.2.1 <=2.3.4)

org.apache.struts.xwork:xwork-core MAVEN version =2.2.1, =2.0.0, =1.2.4, =1.5.3, =1.5.3, =1.2.2, =1.2.2, =1.2.2, =1.2.2, =0.5.9, =1.2.0, =1.2.3 - com.github.psyuhen:struts2-thymeleaf3-plugin =1.0.5.1-RELEASE and more Source cves: CVE-2012-4387 Source advisory: OSV:GHSA-HRGC-54MV-58GV...

br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8), br.net.woodstock.rockframework:rockframework-web (>=1.2.4 <=3.0.1) +206 more potentially affected by CVE-2015-1831 via org.apache.struts.xwork:xwork-core (>=2.2.1 <=2.3.20)

org.apache.struts.xwork:xwork-core MAVEN version =2.2.1, =2.0.0, =1.2.4, =1.5.3, =1.5.3, =1.2.2, =1.2.2, =1.2.2, =1.2.2, =0.5.9, =1.2.0, =1.0.0, =2.0, =1.0.3, =1.1.1 and more Source cves: CVE-2015-1831 Source advisory: OSV:GHSA-Q2CG-XF9P-H457...

GHSA-9CCM-G362-2R35 XWork in Apache Struts Reveals Sensitive Information

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772....