Lucene search
+L
ApacheStruts

12 matches found

CVE
CVE
added 2020/12/16 1:5 a.m.345 views

CVE-2020-26259

CVE-2020-26259 affects XStream in IBM Storage Copy Data Management (2.2.0.0–2.2.25.0). Unmarshalling user-supplied data could allow arbitrary file deletion on the host if the process runs with sufficient privileges. IBM’s remediation for the affected products is to upgrade to 2.2.26.0 (Linux) and...

6.8CVSS7.5AI score0.82392EPSS
CVE
CVE
added 2012/01/08 3:0 p.m.205 views

CVE-2012-0394

CVE-2012-0394 affects Apache Struts 2.x, specifically the DebuggingInterceptor component when Developer Mode is enabled. The IBM security bulletin consolidates multiple Struts CVEs and states that the vulnerable code related to CVE-2012-0394 is not in use in Order Management, lowering risk; the a...

6.8CVSS9.2AI score0.74405EPSS
Web
CVE
CVE
added 2012/01/08 3:0 p.m.177 views

CVE-2012-0392

CVE-2012-0392 affects Apache Struts: CookieInterceptor does not enforce a parameter-name whitelist, enabling remote code execution via a crafted HTTP Cookie header that can trigger Java code execution through a static method. The Nuclei template confirms this as part of the S2-008 family, describ...

6.8CVSS9.3AI score0.96787EPSS
CVE
CVE
added 2017/12/01 4:0 p.m.108 views

CVE-2017-15707

Apache Struts REST plugin (versions 2.5–2.5.14) is vulnerable due to the REST plugin using an outdated JSON-lib library, enabling a remote attacker to cause a denial of service by sending a specially crafted JSON payload. Vulnerable component: Struts 2.x with REST plugin; root cause: insecure JSO...

6.2CVSS6.2AI score0.04889EPSS
CVE
CVE
added 2016/04/12 4:0 p.m.101 views

CVE-2016-4003

CVE-2016-4003 is a cross-site scripting (XSS) vulnerability in the URLDecoder component used by Apache Struts 2.x (pre-2.3.28) when a single-byte page encoding is assumed. An attacker can craft a URL-encoded parameter containing multi-byte characters to inject script/HTML in victims’ browsers. Th...

6.1CVSS5.9AI score0.11562EPSS
CVE
CVE
added 2023/06/14 7:48 a.m.100 views

CVE-2023-34149

CVE-2023-34149 describes a denial-of-service flaw in Apache Struts caused by a vulnerability in how setProperty() is handled compared to getProperty(). The issue affects Struts up to 2.5.30 and up to 6.1.2, with remediation available by upgrading to Struts 2.5.31 or 6.1.2.1 (or greater). IBM and ...

6.5CVSS5.4AI score0.05403EPSS
CVE
CVE
added 2020/02/27 5:45 p.m.99 views

CVE-2015-2992

Apache Struts CVE-2015-2992 is an XSS vulnerability in Struts before 2.3.20, caused by improper validation of user input when JSP files are accessed directly. Exploitation could allow a remote attacker to run scripts in the victim’s browser and steal cookies. Affected products/versions include St...

6.1CVSS5.8AI score0.05757EPSS
CVE
CVE
added 2014/12/10 3:0 p.m.86 views

CVE-2014-7809

CVE-2014-7809 affects Apache Struts 2.0.0–2.3.x with predictable values, enabling remote CSRF bypass. Connected IBM advisories confirm impact on IBM FlashSystem 840/V840-AC0/AC1 nodes and IBM SAN Storwize, IBM Sterling Order Management, Call Center, and related products where Struts is used as p...

6.8CVSS6.7AI score0.03486EPSS
CVE
CVE
added 2012/09/05 11:0 p.m.85 views

CVE-2012-4386

CVE-2012-4386 affects Apache Struts 2.x (2.0.0–2.3.4). The token check mechanism fails to validate the token name configuration parameter, enabling CSRF by setting the token name to a session attribute. Impact described in sources: cross-site request forgery with potential unauthorized actions wh...

6.8CVSS6.7AI score0.03333EPSS
CVE
CVE
added 2017/09/25 9:0 p.m.83 views

CVE-2015-5169

Apache Struts is affected by an XSS vulnerability (CVE-2015-5169) present in Struts versions prior to 2.3.20. When debug mode is enabled, specially crafted inputs can trigger arbitrary script execution in a victim’s browser in the context of the web application. Public advisories and vendor notes...

6.1CVSS5.9AI score0.07551EPSS
CVE
CVE
added 2012/01/08 3:0 p.m.79 views

CVE-2012-0393

CVE-2012-0393 concerns Apache Struts 2.x. The vulnerability lies in the ParameterInterceptor component not preventing access to public constructors, allowing a remote attacker to cause the creation of Java objects and thus “trigger” the creation or overwrite of arbitrary files via a crafted param...

6.4CVSS8.8AI score0.38261EPSS
CVE
CVE
added 2016/04/12 4:0 p.m.79 views

CVE-2016-2162

CVE-2016-2162 affects Apache Struts 2.x where the Locale object created by I18NInterceptor is not sanitized, enabling remote XSS via crafted language-display inputs. The described impact is XSS in the victim’s browser within the web site's context. Affected versions are Struts 2.x prior to 2.3.25...

6.1CVSS5.8AI score0.07987EPSS