Struts@2.3.24.1 Security Vulnerabilities and Issues — Struts@2.3.24.1 CVE List

Lucene search

ApacheStruts2.3.24.1

14 matches found

CVE•added 2017/07/10 4:29 p.m.•1062 views

CVE-2017-9791

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

9.8CVSS9.4AI score0.94263EPSS

CVE•added 2016/04/26 2:59 p.m.•209 views

CVE-2016-3081

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

9.3CVSS8.2AI score0.94025EPSS

CVE•added 2017/07/13 3:29 p.m.•103 views

CVE-2017-9787

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

7.5CVSS7.4AI score0.13883EPSS

CVE•added 2017/09/20 5:29 p.m.•95 views

CVE-2016-6795

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

9.8CVSS9.5AI score0.12481EPSS

CVE•added 2016/07/04 10:59 p.m.•89 views

CVE-2016-4438

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

9.8CVSS9.4AI score0.53496EPSS

CVE•added 2016/07/04 10:59 p.m.•77 views

CVE-2016-4430

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.

8.8CVSS8.5AI score0.03212EPSS

CVE•added 2016/04/26 2:59 p.m.•76 views

CVE-2016-3082

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

10CVSS9.6AI score0.30239EPSS

CVE•added 2016/10/03 3:59 p.m.•74 views

CVE-2016-4436

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.

9.8CVSS8.5AI score0.06115EPSS

CVE•added 2016/06/07 6:59 p.m.•71 views

CVE-2016-3087

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

9.8CVSS9.5AI score0.86541EPSS

CVE•added 2016/06/07 6:59 p.m.•68 views

CVE-2016-3093

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

5.3CVSS5.3AI score0.04652EPSS

CVE•added 2016/07/04 10:59 p.m.•64 views

CVE-2016-4465

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

5.3CVSS5.3AI score0.13342EPSS

CVE•added 2016/07/04 10:59 p.m.•60 views

CVE-2016-4433

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.

7.5CVSS7.7AI score0.10632EPSS

CVE•added 2016/04/12 4:59 p.m.•54 views

CVE-2016-2162

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

6.1CVSS5.8AI score0.06525EPSS

CVE•added 2016/07/04 10:59 p.m.•54 views

CVE-2016-4431

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.

7.5CVSS7.8AI score0.22062EPSS