Struts Security Vulnerabilities and Issues — Struts CVE List

Lucene search

ApacheStruts

5 matches found

CVE•added 2016/04/26 2:59 p.m.•209 views

CVE-2016-3081

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

9.3CVSS8.2AI score0.94025EPSS

CVE•added 2016/04/26 2:59 p.m.•76 views

CVE-2016-3082

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

10CVSS9.6AI score0.27347EPSS

CVE•added 2016/04/12 4:59 p.m.•73 views

CVE-2016-4003

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

6.1CVSS5.9AI score0.02936EPSS

CVE•added 2016/04/12 4:59 p.m.•67 views

CVE-2016-0785

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

9CVSS8.7AI score0.33397EPSS

CVE•added 2016/04/12 4:59 p.m.•54 views

CVE-2016-2162

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

6.1CVSS5.8AI score0.06525EPSS