Struts Security Vulnerabilities and Issues — Page 2 of Struts CVE List

Lucene search

ApacheStruts

87 matches found

CVE•added 2016/07/04 10:59 p.m.•77 views

CVE-2016-4430

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.

8.8CVSS8.5AI score0.03212EPSS

CVE•added 2018/03/27 9:29 p.m.•77 views

CVE-2018-1327

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apac...

7.5CVSS7.4AI score0.03356EPSS

CVE•added 2016/04/26 2:59 p.m.•76 views

CVE-2016-3082

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

10CVSS9.6AI score0.30239EPSS

CVE•added 2016/10/03 3:59 p.m.•74 views

CVE-2016-4436

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.

9.8CVSS8.5AI score0.06115EPSS

CVE•added 2023/06/14 8:15 a.m.•74 views

CVE-2023-34149

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

6.5CVSS5.4AI score0.00062EPSS

CVE•added 2016/04/12 4:59 p.m.•73 views

CVE-2016-4003

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

6.1CVSS5.9AI score0.02936EPSS

CVE•added 2011/05/13 5:5 p.m.•72 views

CVE-2011-1772

Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or...

2.6CVSS5.5AI score0.7634EPSS

CVE•added 2005/11/22 11:3 a.m.•71 views

CVE-2005-3745

Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.

4.3CVSS5.7AI score0.55839EPSS

CVE•added 2013/09/30 9:55 p.m.•71 views

CVE-2013-4310

Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.

5.8CVSS7.7AI score0.09489EPSS

CVE•added 2016/06/07 6:59 p.m.•71 views

CVE-2016-3087

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

9.8CVSS9.5AI score0.86541EPSS

CVE•added 2019/12/05 9:15 p.m.•69 views

CVE-2012-1592

A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.

8.8CVSS8.8AI score0.00806EPSS

CVE•added 2017/08/29 3:29 p.m.•69 views

CVE-2015-5209

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

7.5CVSS7.3AI score0.03619EPSS

CVE•added 2012/09/05 11:55 p.m.•68 views

CVE-2012-4387

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.

5CVSS6.5AI score0.19224EPSS

CVE•added 2016/06/07 6:59 p.m.•68 views

CVE-2016-3093

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

5.3CVSS5.3AI score0.04652EPSS

CVE•added 2020/02/27 6:15 p.m.•67 views

CVE-2015-2992

Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.

6.1CVSS5.8AI score0.01052EPSS

CVE•added 2016/04/12 4:59 p.m.•67 views

CVE-2016-0785

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

9CVSS8.7AI score0.33397EPSS

CVE•added 2012/09/05 11:55 p.m.•66 views

CVE-2012-4386

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

6.8CVSS6.7AI score0.08301EPSS

CVE•added 2015/07/16 2:59 p.m.•66 views

CVE-2015-1831

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.

7.5CVSS6.5AI score0.06005EPSS

CVE•added 2017/09/20 5:29 p.m.•66 views

CVE-2016-8738

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

5.9CVSS5.5AI score0.006EPSS

CVE•added 2009/03/23 2:19 p.m.•65 views

CVE-2008-6505

Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in...

5CVSS6.8AI score0.5752EPSS

CVE•added 2014/12/10 3:59 p.m.•65 views

CVE-2014-7809

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism.

6.8CVSS6.7AI score0.12682EPSS

CVE•added 2009/04/09 3:8 p.m.•64 views

CVE-2008-2025

Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web scr...

4.3CVSS6.6AI score0.02467EPSS

CVE•added 2016/07/04 10:59 p.m.•64 views

CVE-2016-4465

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

5.3CVSS5.3AI score0.13342EPSS

CVE•added 2009/04/09 3:8 p.m.•63 views

CVE-2007-6726

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/.

4.3CVSS5.8AI score0.01495EPSS

CVE•added 2017/09/25 9:29 p.m.•63 views

CVE-2015-5169

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.

6.1CVSS5.9AI score0.01559EPSS

CVE•added 2012/01/08 3:55 p.m.•60 views

CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

6.4CVSS8.8AI score0.89246EPSS

CVE•added 2016/07/04 10:59 p.m.•60 views

CVE-2016-4433

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.

7.5CVSS7.7AI score0.10632EPSS

CVE•added 2012/02/07 4:9 a.m.•59 views

CVE-2012-1006

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/order...

4.3CVSS5.6AI score0.83896EPSS

CVE•added 2013/11/02 9:55 p.m.•58 views

CVE-2013-6348

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.

4.3CVSS5.8AI score0.06815EPSS

CVE•added 2017/10/16 4:29 p.m.•58 views

CVE-2016-4461

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

9CVSS8.8AI score0.33397EPSS

CVE•added 2016/04/12 4:59 p.m.•54 views

CVE-2016-2162

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

6.1CVSS5.8AI score0.06525EPSS

CVE•added 2016/07/04 10:59 p.m.•54 views

CVE-2016-4431

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.

7.5CVSS7.8AI score0.22062EPSS

CVE•added 2011/05/13 5:5 p.m.•52 views

CVE-2011-2088

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.

5CVSS5.9AI score0.7634EPSS

CVE•added 2009/04/09 3:8 p.m.•50 views

CVE-2008-6682

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2...

4.3CVSS5.7AI score0.01223EPSS

CVE•added 2017/10/30 2:29 p.m.•46 views

CVE-2016-3090

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.

8.8CVSS8.7AI score0.02858EPSS

CVE•added 2011/05/13 5:5 p.m.•45 views

CVE-2011-2087

Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling ...

4.3CVSS5.8AI score0.01391EPSS

CVE•added 2012/01/08 5:55 p.m.•44 views

CVE-2011-5057

Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affec...

5CVSS8.8AI score0.69878EPSS

Total number of security vulnerabilities87