Lucene search
+L
ApacheStruts

14 matches found

CVE
CVE
added 2013/07/18 1:0 a.m.235 views

CVE-2013-2248

CVE-2013-2248 involves multiple open-redirect vulnerabilities in Apache Struts 2, affecting 2.0.0 through 2.3.15. An attacker can craft a URL using the redirect:, redirectAction:, or related parameters to redirect victims to arbitrary sites, enabling phishing attempts. The connected Nuclei templa...

5.8CVSS7.9AI score0.94654EPSS
Web
CVE
CVE
added 2010/08/17 5:31 p.m.209 views

CVE-2010-1870

The CVE-2010-1870 entry covers OGNL expression evaluation in XWork (Struts 2.0.0–2.1.8.1) with a permissive whitelist that allows remote modification of server-side context objects and bypass of the # protection via OGNL context variables (e.g., #context, #root, #this, etc.). Cisco advisory notes...

5CVSS9.1AI score0.91079EPSS
Web
CVE
CVE
added 2014/03/10 2:0 p.m.164 views

CVE-2014-0094

CVE-2014-0094 affects Apache Struts where the ParametersInterceptor before 2.3.16.2 allows a crafted request to pass a class parameter to getClass(), enabling ClassLoader manipulation and remote code execution in vulnerable deployments. Public references note exploitation in versions prior to 2.3...

5CVSS9.1AI score0.99614EPSS
CVE
CVE
added 2017/07/13 3:0 p.m.132 views

CVE-2017-7672

CVE-2017-9805 is an RCE in Apache Struts 2 via the REST plugin using XStreamHandler deserializing XML without type filtering. Impact arises when an XML payload is deserialized, allowing remote code execution. Affected Apache Struts 2 REST plugin versions include 2.3.x before 2.3.34 and 2.5.x befo...

5.9CVSS6.2AI score0.09362EPSS
CVE
CVE
added 2014/05/08 10:0 a.m.115 views

CVE-2014-0116

Apache Struts 2.x vulnerable to ClassLoader manipulation via CookieInterceptor (getClass access) when using wildcard cookiesName, allowing remote code execution. Affects Struts 2.x before 2.3.20 (and multiple related CVEs linked to the same class loader flaw, including CVE-2014-0112 and CVE-2014-...

5.8CVSS6.1AI score0.06516EPSS
CVE
CVE
added 2009/03/23 2:0 p.m.103 views

CVE-2008-6504

CVE-2008-6504 affects OpenSymphony XWork (ParameterInterceptor) used in Apache Struts: OGNL refs to # context objects are not properly restricted, enabling remote OGNL evaluation and modification of server-side objects. Affected: XWork 2.0.x prior to 2.0.6 and 2.1.x prior to 2.1.2; vulnerability ...

5CVSS6.8AI score0.3635EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.91 views

CVE-2016-4465

CVE-2016-4465 affects Apache Struts 2, specifically the URLValidator. Versions 2.3.20–2.3.28.1 and 2.5.x before 2.5.1 are vulnerable to denial of service when a null value is submitted for a URL field, due to improper validation. The issue is caused by URLValidator handling flaws that allow an un...

5.3CVSS5.3AI score0.10638EPSS
CVE
CVE
added 2013/09/30 9:0 p.m.90 views

CVE-2013-4310

CVE-2013-4310 is an Apache Struts 2 vulnerability (prefix action: bypass) with a CVSS v2 base score 5.8 (network, low complexity). IBM security bullets tie this to IBM SAN Volume Controller, Storwize family, Storwize V7000, V5000, V3700, V3500 (Lenovo) and related IBM Flex System components. In I...

5.8CVSS7.7AI score0.07457EPSS
Web
CVE
CVE
added 2009/03/23 2:0 p.m.89 views

CVE-2008-6505

CVE-2008-6505 affects Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3. The vulnerability is a directory traversal issue triggered by a encoded dot-dot-slash sequence in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x. Explo...

5CVSS6.8AI score0.72522EPSS
CVE
CVE
added 2017/09/20 5:0 p.m.84 views

CVE-2016-8738

CVE-2016-8738 affects Apache Struts 2.5 to 2.5.5. The issue arises when an application accepts a URL in a form field and uses the built-in URLValidator; a specially crafted URL can be used to overload the server during URL validation, yielding a DoS effect. The provided documents confirm the vuln...

5.9CVSS5.5AI score0.03347EPSS
CVE
CVE
added 2012/09/05 11:0 p.m.83 views

CVE-2012-4387

CVE-2012-4387 is an Apache Struts DoS vulnerability: remote attacker can cause CPU exhaustion by sending a long parameter name that is processed as an OGNL expression. The issue affects Struts 2.0.0–2.3.4. In the connected IBM advisories, remediation centers on upgrading IBM Sterling Order Manage...

5CVSS6.5AI score0.08353EPSS
CVE
CVE
added 2016/06/07 6:0 p.m.82 views

CVE-2016-3093

CVE-2016-3093 affects Apache Struts 2.0.0–2.3.24.1. The vulnerability is due to improper caching of method references when OGNL is used, enabling a remote attacker to cause a denial of service (block access to a website). Several connected advisories corroborate the issue and label the impact as ...

5.3CVSS5.3AI score0.08667EPSS
CVE
CVE
added 2011/05/13 5:0 p.m.73 views

CVE-2011-2088

CVE-2011-2088 affects XWork (Apache Struts 2.2.1 / OpenSymphony XWork) where XWork-generated error pages could reveal internal Java class path information via an s:submit element and a nonexistent method. This is tied to the CVE-2011-1772 family and is described as a separate vulnerability relate...

5CVSS5.9AI score0.0614EPSS
CVE
CVE
added 2012/01/08 5:0 p.m.63 views

CVE-2011-5057

CVE-2011-5057 affects Apache Struts 2.3.1.2 and earlier (2.3.19–2.3.23). The issue arises from interfaces such as SessionAware/RequestAware not properly restricting access to session/request collections, enabling a remote attacker to modify runtime data via crafted parameters. Vendor notes (and s...

5CVSS8.8AI score0.28628EPSS