Lucene search

K

48 matches found

CVE
CVE
added 2024/12/11 4:15 p.m.3963 views

CVE-2024-53677

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4....

9.8CVSS6.5AI score0.92345EPSS
CVE
CVE
added 2018/08/22 1:29 p.m.1649 views

CVE-2018-11776

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace...

9.3CVSS8.4AI score0.94427EPSS
CVE
CVE
added 2017/03/11 2:59 a.m.1639 views

CVE-2017-5638

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Co...

10CVSS9.2AI score0.94267EPSS
CVE
CVE
added 2017/09/15 7:29 p.m.1398 views

CVE-2017-9805

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

8.1CVSS8.4AI score0.9439EPSS
CVE
CVE
added 2020/12/11 2:15 a.m.1321 views

CVE-2020-17530

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

9.8CVSS9.6AI score0.94395EPSS
CVE
CVE
added 2013/07/20 3:37 a.m.1098 views

CVE-2013-2251

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

9.8CVSS8AI score0.94226EPSS
CVE
CVE
added 2012/01/08 3:55 p.m.1073 views

CVE-2012-0391

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

9.8CVSS8.5AI score0.90887EPSS
CVE
CVE
added 2017/07/10 4:29 p.m.1061 views

CVE-2017-9791

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

9.8CVSS9.4AI score0.94263EPSS
CVE
CVE
added 2006/03/30 10:2 p.m.1046 views

CVE-2006-1547

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elem...

7.8CVSS7.2AI score0.1367EPSS
CVE
CVE
added 2017/09/20 5:29 p.m.414 views

CVE-2017-12611

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

9.8CVSS9.3AI score0.94295EPSS
CVE
CVE
added 2020/09/14 5:15 p.m.406 views

CVE-2019-0230

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

9.8CVSS9.5AI score0.93849EPSS
CVE
CVE
added 2023/12/07 9:15 a.m.364 views

CVE-2023-50164

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this iss...

9.8CVSS9.8AI score0.93674EPSS
CVE
CVE
added 2022/04/12 4:15 p.m.274 views

CVE-2021-31805

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a ...

9.8CVSS9.8AI score0.94395EPSS
CVE
CVE
added 2020/12/16 1:15 a.m.262 views

CVE-2020-26258

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly availa...

7.7CVSS8.1AI score0.9368EPSS
CVE
CVE
added 2020/12/16 1:15 a.m.255 views

CVE-2020-26259

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing ...

6.8CVSS7.5AI score0.91436EPSS
CVE
CVE
added 2019/11/01 2:15 p.m.246 views

CVE-2011-3923

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.

9.8CVSS9.5AI score0.89547EPSS
CVE
CVE
added 2013/07/16 6:55 p.m.217 views

CVE-2013-2134

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

9.3CVSS8.1AI score0.91128EPSS
CVE
CVE
added 2012/01/08 3:55 p.m.166 views

CVE-2012-0394

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.

6.8CVSS9.2AI score0.93732EPSS
CVE
CVE
added 2014/03/11 1:0 p.m.130 views

CVE-2014-0094

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

5CVSS9.1AI score0.93075EPSS
CVE
CVE
added 2012/01/08 3:55 p.m.129 views

CVE-2012-0392

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

6.8CVSS9.3AI score0.93052EPSS
CVE
CVE
added 2020/09/14 5:15 p.m.128 views

CVE-2019-0233

An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

7.5CVSS8.1AI score0.06858EPSS
CVE
CVE
added 2013/07/10 7:55 p.m.125 views

CVE-2013-1966

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.

9.3CVSS8AI score0.92222EPSS
CVE
CVE
added 2006/03/30 10:2 p.m.114 views

CVE-2006-1546

Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check...

7.5CVSS6.3AI score0.01612EPSS
CVE
CVE
added 2013/07/10 7:55 p.m.113 views

CVE-2013-1965

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

9.3CVSS8AI score0.9196EPSS
CVE
CVE
added 2017/07/13 3:29 p.m.110 views

CVE-2017-7672

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12.

5.9CVSS6.2AI score0.01132EPSS
CVE
CVE
added 2014/04/29 10:37 a.m.104 views

CVE-2014-0112

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-00...

7.5CVSS7.3AI score0.93075EPSS
CVE
CVE
added 2023/06/14 8:15 a.m.104 views

CVE-2023-34396

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

7.5CVSS5.7AI score0.00115EPSS
CVE
CVE
added 2017/07/13 3:29 p.m.103 views

CVE-2017-9787

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

7.5CVSS7.4AI score0.13883EPSS
CVE
CVE
added 2017/09/20 5:29 p.m.103 views

CVE-2017-9793

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

7.5CVSS7.4AI score0.13427EPSS
CVE
CVE
added 2017/09/20 5:29 p.m.102 views

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerabil...

7.5CVSS6.4AI score0.12074EPSS
CVE
CVE
added 2013/07/10 7:55 p.m.97 views

CVE-2013-2115

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

9.3CVSS8.1AI score0.92222EPSS
CVE
CVE
added 2014/04/29 10:37 a.m.96 views

CVE-2014-0113

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists beca...

7.5CVSS7.3AI score0.93075EPSS
CVE
CVE
added 2017/09/20 5:29 p.m.95 views

CVE-2016-6795

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

9.8CVSS9.5AI score0.12481EPSS
CVE
CVE
added 2023/12/05 9:15 a.m.89 views

CVE-2023-41835

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied.Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe ...

7.5CVSS7.3AI score0.00197EPSS
CVE
CVE
added 2017/12/01 4:29 p.m.86 views

CVE-2017-15707

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

6.2CVSS6.2AI score0.02482EPSS
CVE
CVE
added 2012/03/02 10:55 p.m.79 views

CVE-2012-0838

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

10CVSS7.1AI score0.66942EPSS
CVE
CVE
added 2013/07/16 6:55 p.m.79 views

CVE-2013-2135

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.

9.3CVSS8.1AI score0.85579EPSS
CVE
CVE
added 2006/03/30 10:2 p.m.78 views

CVE-2006-1548

Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the r...

4.3CVSS5.6AI score0.08769EPSS
CVE
CVE
added 2018/03/27 9:29 p.m.77 views

CVE-2018-1327

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apac...

7.5CVSS7.4AI score0.03356EPSS
CVE
CVE
added 2023/06/14 8:15 a.m.74 views

CVE-2023-34149

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

6.5CVSS5.4AI score0.00062EPSS
CVE
CVE
added 2016/04/12 4:59 p.m.73 views

CVE-2016-4003

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

6.1CVSS5.9AI score0.02936EPSS
CVE
CVE
added 2020/02/27 6:15 p.m.67 views

CVE-2015-2992

Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.

6.1CVSS5.8AI score0.01052EPSS
CVE
CVE
added 2016/04/12 4:59 p.m.67 views

CVE-2016-0785

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

9CVSS8.7AI score0.33397EPSS
CVE
CVE
added 2017/09/20 5:29 p.m.66 views

CVE-2016-8738

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

5.9CVSS5.5AI score0.006EPSS
CVE
CVE
added 2017/09/25 9:29 p.m.63 views

CVE-2015-5169

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.

6.1CVSS5.9AI score0.01559EPSS
CVE
CVE
added 2012/01/08 3:55 p.m.60 views

CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

6.4CVSS8.8AI score0.89246EPSS
CVE
CVE
added 2017/10/16 4:29 p.m.58 views

CVE-2016-4461

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

9CVSS8.8AI score0.33397EPSS
CVE
CVE
added 2012/01/08 5:55 p.m.44 views

CVE-2011-5057

Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affec...

5CVSS8.8AI score0.69878EPSS