19 matches found
CVE-2006-1547
CVE-2006-1547 affects Apache Struts 1.x before 1.2.9 when used with BeanUtils 1.7. The vulnerability arises from ActionForm handling a multipart/form-data form where a parameter name references getMultipartRequestHandler, granting access to elements in CommonsMultipartRequestHandler and BeanUtils...
CVE-2014-0114
The CVE-2014-0114 issue affects Apache Struts 1.x through 1.3.10 (and related products using commons-beanutils) where the ActionForm/ClassLoader handling could be manipulated via a class parameter passed to getClass, enabling remote code execution. The F5 advisory confirms the vulnerability impac...
CVE-2020-26258
CVE-2020-26258 is a Server-Side Forgery/SSRF via XStream unmarshalling in versions prior to 1.4.15. Public docs corroborate exploitation possible by crafted input streams to access internal resources, with Java 15+ mitigating the issue and a whitelist-based Security Framework recommended over the...
CVE-2015-0899
CVE-2015-0899 affects Apache Struts 1.x (1.1–1.3.10) where the MultiPageValidator allows remote bypass of access restrictions via a modified page parameter. IBM advisories (IBM Library Support for Struts 1.3.16 remediation, and related IBM bulletins) confirm this family of vulnerabilities and lis...
CVE-2019-0233
CVE-2019-0233 is an Apache Struts vulnerability (affecting Struts 2.0.0–2.5.20) where an access-permission override during file uploads can cause a Denial of Service. Exploitation requires a crafted request, and the impact is DoS during subsequent uploads. Remediation is to upgrade to a fixed Str...
CVE-2006-1546
CVE-2006-1546 : Apache Struts 1.x before 1.2.9 is vulnerable to bypassing validation via a request param org.apache.struts.taglib.html.Constants.CANCEL, causing the action to be canceled but may not be detected by applications that skip isCancelled(). Affects Struts 1.x components and can lead to...
CVE-2014-0112
Summary (facts from sources): CVE-2014-0112 affects Apache Struts 2.x where the ParametersInterceptor does not properly restrict access to the getClass method, enabling remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request. The F5 advisories confirm the v...
CVE-2023-34396
CVE-2023-34396 affects Apache Struts; a DoS condition arises when processing multipart requests with non-file fields, allowing remote attackers to exhaust resources. The entry covers Struts up to 2.5.30 and 6.1.2, with remediation by upgrading to Struts 2.5.31 or 6.1.2.1 (or later). IBM security ...
CVE-2017-9787
CVE-2017-9805 affects the Apache Struts 2 REST plugin, where the REST Plugin uses an XStreamHandler with an unfiltered XStream instance, enabling remote code execution via crafted XML data. Affected are Struts 2.x releases containing REST plugin: 2.5.x prior to 2.5.13 and 2.3.x prior to 2.3.34 (p...
CVE-2017-9793
CVE-2017-9793 affects Apache Struts 2 REST plugin in 2.1.x and 2.3.x/2.5.x branches where an outdated XStream library is used, enabling DoS via a crafted XML payload during deserialization. The related connected sources corroborate a broader issue with the Struts REST plugin using XStream without...
CVE-2023-41835
Apache Struts vulnerability CVE-2023-41835 arises from incomplete cleanup of the struts.multipart.saveDir after a denied multipart upload, enabling denial of service. IBM/Atlassian advisories confirm impact and list affected Struts versions and products (e.g., Struts 2.x; Struts 2.5.32, 6.1.2.2, ...
CVE-2017-9804
CVE-2017-9805 affects Apache Struts 2 with the REST plugin that uses an XStreamHandler for XML deserialization without type filtering. The vulnerability allows remote code execution when processing crafted XML payloads. Affected versions are Apache Struts 2.x prior to 2.3.34 and 2.5.x prior to 2....
CVE-2014-0113
The CVE-2014-0113 issue affects Apache Struts CookieInterceptor in Struts 2.x prior to 2.3.20 (and related advisories reference 2.3.16.2), where a wildcard cookiesName value allows access to getClass, enabling potential ClassLoader manipulation and remote code execution via a crafted request. Thi...
CVE-2018-1327
CVE-2018-1327 affects the Apache Struts REST Plugin via the XStream deserialization path, enabling a remote DoS when a malicious XML payload is processed. The advisory chain shows that upgrading to Struts 2.5.16 and switching to the optional Jackson XML handler (or implementing a custom XML handl...
CVE-2015-5209
CVE-2015-5209 affects Apache Struts 2.x and allows a remote attacker to gain unauthorized access by manipulating a special top-level object in Struts' ValueStack, enabling manipulation of internal settings and user sessions. Public advisories and IBM notices enumerate affected IBM products (IBM S...
CVE-2016-4433
CVE-2016-4433 affects Apache Struts 2.2.3.20–2.3.28.1, where a crafted request can bypass access restrictions and trigger redirection attacks. Multiple connected sources (NVD description; IBM advisories for Struts-related products) confirm the same affected range and attack pattern. The provided ...
CVE-2015-1831
CVE-2015-1831 concerns Apache Struts 2.3.20, where misleading default excludeParams could let an attacker alter an application’s internal state. IBM advisories list affected IBM storage platforms (FlashSystem 900/ V840/ V9000 and Storwize families) with fixes in specific code levels (e.g., FlashS...
CVE-2016-4431
CVE-2016-4431 affects Apache Struts 2.2.3.20–2.3.28.1, allowing remote attackers to bypass access restrictions and perform redirection via the default action method. Multiple connected advisories identify this as an in-the-wild risk in various IBM FlashSystem products and related Struts deploymen...
CVE-2025-64775
CVE-2025-64775 affects Apache Struts 2.x (2.0.0–6.7.0) and 7.0.0–7.0.3. The issue is a denial of service caused by a file leak in multipart request processing that can exhaust disk space. The available public details describe the impact as DoS and do not indicate exploitation specifics beyond the...