Struts Security Vulnerabilities and Issues — Struts CVE List

Lucene search

ApacheStruts

12 matches found

CVE•added 2020/12/16 1:15 a.m.•256 views

CVE-2020-26259

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing ...

6.8CVSS7.5AI score0.91436EPSS

CVE•added 2012/01/08 3:55 p.m.•166 views

CVE-2012-0394

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.

6.8CVSS9.2AI score0.93732EPSS

CVE•added 2012/01/08 3:55 p.m.•129 views

CVE-2012-0392

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

6.8CVSS9.3AI score0.93052EPSS

CVE•added 2017/12/01 4:29 p.m.•86 views

CVE-2017-15707

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

6.2CVSS6.2AI score0.02482EPSS

CVE•added 2023/06/14 8:15 a.m.•74 views

CVE-2023-34149

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

6.5CVSS5.4AI score0.00062EPSS

CVE•added 2016/04/12 4:59 p.m.•73 views

CVE-2016-4003

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

6.1CVSS5.9AI score0.02936EPSS

CVE•added 2020/02/27 6:15 p.m.•67 views

CVE-2015-2992

Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.

6.1CVSS5.8AI score0.01052EPSS

CVE•added 2012/09/05 11:55 p.m.•66 views

CVE-2012-4386

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

6.8CVSS6.7AI score0.08301EPSS

CVE•added 2014/12/10 3:59 p.m.•65 views

CVE-2014-7809

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism.

6.8CVSS6.7AI score0.12682EPSS

CVE•added 2017/09/25 9:29 p.m.•63 views

CVE-2015-5169

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.

6.1CVSS5.9AI score0.01559EPSS

CVE•added 2012/01/08 3:55 p.m.•60 views

CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

6.4CVSS8.8AI score0.89246EPSS

CVE•added 2016/04/12 4:59 p.m.•54 views

CVE-2016-2162

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

6.1CVSS5.8AI score0.06525EPSS