Lucene search

K
ApacheStruts2.0.3

19 matches found

CVE
CVE
added 2017/09/20 5:29 p.m.414 views

CVE-2017-12611

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

9.8CVSS9.3AI score0.94295EPSS
CVE
CVE
added 2016/04/26 2:59 p.m.209 views

CVE-2016-3081

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

9.3CVSS8.2AI score0.94025EPSS
CVE
CVE
added 2013/07/20 3:37 a.m.194 views

CVE-2013-2248

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.

5.8CVSS7.9AI score0.93635EPSS
CVE
CVE
added 2010/08/17 8:0 p.m.153 views

CVE-2010-1870

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism...

5CVSS9.1AI score0.93509EPSS
CVE
CVE
added 2013/09/30 9:55 p.m.93 views

CVE-2013-4316

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

10CVSS7.8AI score0.07066EPSS
CVE
CVE
added 2014/05/08 10:55 a.m.91 views

CVE-2014-0116

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists be...

5.8CVSS6.1AI score0.88063EPSS
CVE
CVE
added 2009/03/23 2:19 p.m.84 views

CVE-2008-6504

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements an...

5CVSS6.8AI score0.65077EPSS
CVE
CVE
added 2016/04/26 2:59 p.m.76 views

CVE-2016-3082

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

10CVSS9.6AI score0.30239EPSS
CVE
CVE
added 2016/10/03 3:59 p.m.74 views

CVE-2016-4436

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.

9.8CVSS8.5AI score0.06115EPSS
CVE
CVE
added 2011/05/13 5:5 p.m.72 views

CVE-2011-1772

Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or...

2.6CVSS5.5AI score0.7634EPSS
CVE
CVE
added 2013/09/30 9:55 p.m.71 views

CVE-2013-4310

Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.

5.8CVSS7.7AI score0.09489EPSS
CVE
CVE
added 2017/08/29 3:29 p.m.69 views

CVE-2015-5209

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

7.5CVSS7.3AI score0.03619EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.68 views

CVE-2012-4387

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.

5CVSS6.5AI score0.19224EPSS
CVE
CVE
added 2016/06/07 6:59 p.m.68 views

CVE-2016-3093

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

5.3CVSS5.3AI score0.04652EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.66 views

CVE-2012-4386

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

6.8CVSS6.7AI score0.08301EPSS
CVE
CVE
added 2014/12/10 3:59 p.m.65 views

CVE-2014-7809

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism.

6.8CVSS6.7AI score0.12682EPSS
CVE
CVE
added 2016/04/12 4:59 p.m.54 views

CVE-2016-2162

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

6.1CVSS5.8AI score0.06525EPSS
CVE
CVE
added 2017/10/30 2:29 p.m.46 views

CVE-2016-3090

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.

8.8CVSS8.7AI score0.02858EPSS
CVE
CVE
added 2011/05/13 5:5 p.m.45 views

CVE-2011-2087

Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling ...

4.3CVSS5.8AI score0.01391EPSS