Lucene search
K
ApacheStruts

90 matches found

CVE
CVE
added 2018/03/27 9:0 p.m.102 views

CVE-2018-1327

CVE-2018-1327 affects the Apache Struts REST Plugin via the XStream deserialization path, enabling a remote DoS when a malicious XML payload is processed. The advisory chain shows that upgrading to Struts 2.5.16 and switching to the optional Jackson XML handler (or implementing a custom XML handl...

7.5CVSS7.4AI score0.09224EPSS
CVE
CVE
added 2013/07/16 6:0 p.m.101 views

CVE-2013-2135

CVE-2013-2135 affects Apache Struts 2 prior to 2.3.14.3, allowing remote execution via OGNL when a crafted value contains both "${}" and "%{}" sequences that cause double evaluation. The issue is documented in multiple sources (S2-015) and is tied to how includeParams is handled in certain reques...

9.3CVSS8.1AI score0.13828EPSS
In wild
CVE
CVE
added 2016/04/12 4:0 p.m.97 views

CVE-2016-4003

CVE-2016-4003 is a cross-site scripting (XSS) vulnerability in the URLDecoder component used by Apache Struts 2.x (pre-2.3.28) when a single-byte page encoding is assumed. An attacker can craft a URL-encoded parameter containing multi-byte characters to inject script/HTML in victims’ browsers. Th...

6.1CVSS5.9AI score0.12018EPSS
CVE
CVE
added 2023/06/14 7:48 a.m.96 views

CVE-2023-34149

CVE-2023-34149 describes a denial-of-service flaw in Apache Struts caused by a vulnerability in how setProperty() is handled compared to getProperty(). The issue affects Struts up to 2.5.30 and up to 6.1.2, with remediation available by upgrading to Struts 2.5.31 or 6.1.2.1 (or greater). IBM and ...

6.5CVSS5.4AI score0.05403EPSS
CVE
CVE
added 2006/03/30 10:0 p.m.94 views

CVE-2006-1548

CVE-2006-1548 is an XSS vulnerability in Apache Struts prior to 1.2.9. The flaw allows remote attackers to inject arbitrary script/HTML via the request parameter name in LookUpDispatchAction, and possibly DispatchAction and ActionDispatcher, with the error message not filtering the input. Connect...

4.3CVSS5.6AI score0.05047EPSS
CVE
CVE
added 2011/05/13 5:0 p.m.94 views

CVE-2011-1772

CVE-2011-1772 is a cross-site scripting (XSS) vulnerability affecting Apache Struts 2.x (XWork) and OpenSymphony WebWork, with XWork error page generation failing to escape certain inputs. The issue arises from improper validation of user-supplied input when generating the action name for error p...

2.6CVSS5.5AI score0.33111EPSS
CVE
CVE
added 2016/04/12 4:0 p.m.94 views

CVE-2016-0785

CVE-2016-0785 affects Apache Struts 2.x; vulnerability arises from a double OGNL evaluation in tag attributes (forced OGNL). Affected versions include Struts 2.x before 2.3.29 (with references across IBM advisories and OSVs). Exploitation status is not detailed in the provided documents. Remediat...

9CVSS8.7AI score0.08812EPSS
CVE
CVE
added 2009/04/09 3:0 p.m.93 views

CVE-2008-2025

CVE-2008-2025 is an XSS vulnerability in Apache Struts (prior to 1.2.9-162.31.1 on SUSE SLE 11, prior to 1.2.9-108.2 on SUSE openSUSE 10.3, prior to 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1) caused by insufficient quoting of parameters. Remote attackers ...

4.3CVSS6.6AI score0.07911EPSS
CVE
CVE
added 2020/02/27 5:45 p.m.93 views

CVE-2015-2992

Apache Struts CVE-2015-2992 is an XSS vulnerability in Struts before 2.3.20, caused by improper validation of user input when JSP files are accessed directly. Exploitation could allow a remote attacker to run scripts in the victim’s browser and steal cookies. Affected products/versions include St...

6.1CVSS5.8AI score0.07203EPSS
CVE
CVE
added 2016/04/26 2:0 p.m.93 views

CVE-2016-3082

CVE-2016-3082 affects Apache Struts 2.x; using XSLTResult, remote code execution is possible via the stylesheet location parameter. Affected: 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1. Impact: arbitrary code execution on the server. Remediation: upgrade to patche...

10CVSS9.6AI score0.20829EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.92 views

CVE-2016-4430

CVE-2016-4430 affects Apache Struts 2.3.20–2.3.28.1, where token validation is mishandled, enabling remote CSRF attacks via unspecified vectors. Public sources in connected docs (IBM security advisories and the NVD entry) corroborate the CSRF impact and tie it to the same Struts versions. The vul...

8.8CVSS8.5AI score0.03956EPSS
CVE
CVE
added 2016/10/03 3:0 p.m.90 views

CVE-2016-4436

Summary of CVE-2016-4436 : Apache Struts 2 is affected by an unspecified impact vulnerability due to improper action name cleanup. The CVE entry covers versions 2.3. before 2.3.29 and 2.5.x before 2.5.1. Connected IBM and IBM-related advisories explicitly reference this CVE and reiterate that upg...

9.8CVSS8.5AI score0.06549EPSS
CVE
CVE
added 2013/09/30 9:0 p.m.89 views

CVE-2013-4310

CVE-2013-4310 is an Apache Struts 2 vulnerability (prefix action: bypass) with a CVSS v2 base score 5.8 (network, low complexity). IBM security bullets tie this to IBM SAN Volume Controller, Storwize family, Storwize V7000, V5000, V3700, V3500 (Lenovo) and related IBM Flex System components. In I...

5.8CVSS7.7AI score0.07457EPSS
CVE
CVE
added 2019/12/05 8:57 p.m.87 views

CVE-2012-1592

Apache Struts2 is affected by a local code execution vulnerability involving processing malformed XSLT files. The issue affects Struts2 versions prior to 2.5.22 and can allow a malicious user to upload and execute arbitrary files on the server. A fix exists with Struts 2.5.22 or later; advisory e...

8.8CVSS8.8AI score0.2855EPSS
CVE
CVE
added 2005/11/22 11:0 a.m.86 views

CVE-2005-3745

CVE-2005-3745 is an XSS vulnerability in Apache Struts 1.x (notably 1.2.7) where an attacker can inject arbitrary script/HTML via the query string in error messages due to improper quoting/ filtering. Connected documents corroborate multiple vendor advisories: Red Hat notes that Struts 1.2.8 fixe...

4.3CVSS5.7AI score0.25707EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.85 views

CVE-2016-4465

CVE-2016-4465 affects Apache Struts 2, specifically the URLValidator. Versions 2.3.20–2.3.28.1 and 2.5.x before 2.5.1 are vulnerable to denial of service when a null value is submitted for a URL field, due to improper validation. The issue is caused by URLValidator handling flaws that allow an un...

5.3CVSS5.3AI score0.10638EPSS
CVE
CVE
added 2009/03/23 2:0 p.m.84 views

CVE-2008-6505

CVE-2008-6505 affects Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3. The vulnerability is a directory traversal issue triggered by a encoded dot-dot-slash sequence in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x. Explo...

5CVSS6.8AI score0.72522EPSS
CVE
CVE
added 2012/09/05 11:0 p.m.83 views

CVE-2012-4386

CVE-2012-4386 affects Apache Struts 2.x (2.0.0–2.3.4). The token check mechanism fails to validate the token name configuration parameter, enabling CSRF by setting the token name to a session attribute. Impact described in sources: cross-site request forgery with potential unauthorized actions wh...

6.8CVSS6.7AI score0.03333EPSS
CVE
CVE
added 2014/12/10 3:0 p.m.83 views

CVE-2014-7809

CVE-2014-7809 affects Apache Struts 2.0.0–2.3.x with predictable values, enabling remote CSRF bypass. Connected IBM advisories confirm impact on IBM FlashSystem 840/V840-AC0/AC1 nodes and IBM SAN Storwize, IBM Sterling Order Management, Call Center, and related products where Struts is used as p...

6.8CVSS6.7AI score0.03486EPSS
CVE
CVE
added 2017/08/29 3:0 p.m.83 views

CVE-2015-5209

CVE-2015-5209 affects Apache Struts 2.x and allows a remote attacker to gain unauthorized access by manipulating a special top-level object in Struts' ValueStack, enabling manipulation of internal settings and user sessions. Public advisories and IBM notices enumerate affected IBM products (IBM S...

7.5CVSS7.3AI score0.09063EPSS
CVE
CVE
added 2012/09/05 11:0 p.m.82 views

CVE-2012-4387

CVE-2012-4387 is an Apache Struts DoS vulnerability: remote attacker can cause CPU exhaustion by sending a long parameter name that is processed as an OGNL expression. The issue affects Struts 2.0.0–2.3.4. In the connected IBM advisories, remediation centers on upgrading IBM Sterling Order Manage...

5CVSS6.5AI score0.08353EPSS
CVE
CVE
added 2017/09/20 5:0 p.m.82 views

CVE-2016-8738

CVE-2016-8738 affects Apache Struts 2.5 to 2.5.5. The issue arises when an application accepts a URL in a form field and uses the built-in URLValidator; a specially crafted URL can be used to overload the server during URL validation, yielding a DoS effect. The provided documents confirm the vuln...

5.9CVSS5.5AI score0.03347EPSS
CVE
CVE
added 2015/07/16 2:0 p.m.81 views

CVE-2015-1831

CVE-2015-1831 concerns Apache Struts 2.3.20, where misleading default excludeParams could let an attacker alter an application’s internal state. IBM advisories list affected IBM storage platforms (FlashSystem 900/ V840/ V9000 and Storwize families) with fixes in specific code levels (e.g., FlashS...

7.5CVSS6.5AI score0.06312EPSS
CVE
CVE
added 2017/09/25 9:0 p.m.81 views

CVE-2015-5169

Apache Struts is affected by an XSS vulnerability (CVE-2015-5169) present in Struts versions prior to 2.3.20. When debug mode is enabled, specially crafted inputs can trigger arbitrary script execution in a victim’s browser in the context of the web application. Public advisories and vendor notes...

6.1CVSS5.9AI score0.08027EPSS
CVE
CVE
added 2016/06/07 6:0 p.m.81 views

CVE-2016-3093

CVE-2016-3093 affects Apache Struts 2.0.0–2.3.24.1. The vulnerability is due to improper caching of method references when OGNL is used, enabling a remote attacker to cause a denial of service (block access to a website). Several connected advisories corroborate the issue and label the impact as ...

5.3CVSS5.3AI score0.10818EPSS
CVE
CVE
added 2017/10/16 4:0 p.m.78 views

CVE-2016-4461

CVE-2016-4461: Apache Struts vulnerability causing remote code execution via forced double OGNL evaluation. IBM/security bulletins show affected IBM FlashSystem products (V840, V900, Storwize/SAN volumes) with vulnerable VRMFs and the need to upgrade to fixed code levels. IBM Bulletins list affec...

9CVSS8.8AI score0.08341EPSS
CVE
CVE
added 2012/01/08 3:0 p.m.77 views

CVE-2012-0393

CVE-2012-0393 concerns Apache Struts 2.x. The vulnerability lies in the ParameterInterceptor component not preventing access to public constructors, allowing a remote attacker to cause the creation of Java objects and thus “trigger” the creation or overwrite of arbitrary files via a crafted param...

6.4CVSS8.8AI score0.38261EPSS
CVE
CVE
added 2012/02/07 2:0 a.m.77 views

CVE-2012-1006

CVE-2012-1006 refers to multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3. The flaws allow remote attackers to inject arbitrary web script or HTML via parameters in the Struts2 showcase applications: (1) name, (2) lastName to struts2-showcase/person/editPerson....

4.3CVSS5.6AI score0.58476EPSS
Web
CVE
CVE
added 2016/07/04 10:0 p.m.77 views

CVE-2016-4433

CVE-2016-4433 affects Apache Struts 2.2.3.20–2.3.28.1, where a crafted request can bypass access restrictions and trigger redirection attacks. Multiple connected sources (NVD description; IBM advisories for Struts-related products) confirm the same affected range and attack pattern. The provided ...

7.5CVSS7.7AI score0.10013EPSS
CVE
CVE
added 2009/04/09 3:0 p.m.76 views

CVE-2007-6726

CVE-2007-6726 refers to multiple XSS vulnerabilities in Dojo 0.4.1 and 0.4.2 as used in Apache Struts and other products. The issues allow remote injection of arbitrary script/HTML via vectors involving xip_client.html and xip_server.html in src/io/. The NVD entry lists a MEDIUM severity (CVSSv2:...

4.3CVSS5.8AI score0.03447EPSS
CVE
CVE
added 2013/11/02 9:0 p.m.76 views

CVE-2013-6348

CVE-2013-6348 refers to multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.x (specifically

4.3CVSS5.8AI score0.06125EPSS
Web
CVE
CVE
added 2016/04/12 4:0 p.m.75 views

CVE-2016-2162

CVE-2016-2162 affects Apache Struts 2.x where the Locale object created by I18NInterceptor is not sanitized, enabling remote XSS via crafted language-display inputs. The described impact is XSS in the victim’s browser within the web site's context. Affected versions are Struts 2.x prior to 2.3.25...

6.1CVSS5.8AI score0.09231EPSS
CVE
CVE
added 2009/04/09 3:0 p.m.74 views

CVE-2008-6682

Apache Struts is affected by multiple cross-site scripting (XSS) vulnerabilities in 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1. The issue arises from improper handling of (1) double-quote characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag, ...

4.3CVSS5.7AI score0.05614EPSS
CVE
CVE
added 2011/05/13 5:0 p.m.68 views

CVE-2011-2088

CVE-2011-2088 affects XWork (Apache Struts 2.2.1 / OpenSymphony XWork) where XWork-generated error pages could reveal internal Java class path information via an s:submit element and a nonexistent method. This is tied to the CVE-2011-1772 family and is described as a separate vulnerability relate...

5CVSS5.9AI score0.0614EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.68 views

CVE-2016-4431

CVE-2016-4431 affects Apache Struts 2.2.3.20–2.3.28.1, allowing remote attackers to bypass access restrictions and perform redirection via the default action method. Multiple connected advisories identify this as an in-the-wild risk in various IBM FlashSystem products and related Struts deploymen...

7.5CVSS7.8AI score0.10013EPSS
CVE
CVE
added 2012/01/08 5:0 p.m.62 views

CVE-2011-5057

CVE-2011-5057 affects Apache Struts 2.3.1.2 and earlier (2.3.19–2.3.23). The issue arises from interfaces such as SessionAware/RequestAware not properly restricting access to session/request collections, enabling a remote attacker to modify runtime data via crafted parameters. Vendor notes (and s...

5CVSS8.8AI score0.28628EPSS
CVE
CVE
added 2017/10/30 2:0 p.m.60 views

CVE-2016-3090

CVE-2016-3090 — Affected product and details : Apache Struts 2.x prior to 2.3.20 is vulnerable. The issue lies in the TextParseUtil.translateVariables method, exposed via a crafted OGNL expression using ANTLR tooling. Impact : remote code execution (RCE) with network access. Exploitation : attack...

8.8CVSS8.7AI score0.06142EPSS
CVE
CVE
added 2011/05/13 5:0 p.m.59 views

CVE-2011-2087

CVE-2011-2087 affects the javatemplates (Java Templates) plugin in Apache Struts 2.x prior to 2.2.3. The issue is multiple XSS vulnerabilities in eight component handlers (FileHandler.java, HiddenHandler.java, PasswordHandler.java, RadioHandler.java, ResetHandler.java, SelectHandler.java, SubmitH...

4.3CVSS5.8AI score0.06127EPSS
CVE
CVE
added 2025/12/01 4:7 p.m.43 views

CVE-2025-64775

CVE-2025-64775 affects Apache Struts 2.x (2.0.0–6.7.0) and 7.0.0–7.0.3. The issue is a denial of service caused by a file leak in multipart request processing that can exhaust disk space. The available public details describe the impact as DoS and do not indicate exploitation specifics beyond the...

7.5CVSS6.5AI score0.01456EPSS
CVE
CVE
added 2025/12/10 9:32 a.m.19 views

CVE-2025-66675

The CVE-2025-66675 issue is an Apache Struts Denial of Service vulnerability caused by a file leak during multipart request processing, which can lead to disk exhaustion. Affected versions are Struts 2.0.0–6.7.4 and 7.0.0–7.0.3. The documented remediation is to upgrade to Struts 6.8.0 or 7.1.1, w...

8.2CVSS6.5AI score0.00508EPSS
Total number of security vulnerabilities90