Lucene search
+L
ApacheStruts

19 matches found

cve
cve
added 2006/03/30 10:0 p.m.1108 views

CVE-2006-1547

CVE-2006-1547 affects Apache Struts 1.x before 1.2.9 when used with BeanUtils 1.7. The vulnerability arises from ActionForm handling a multipart/form-data form where a parameter name references getMultipartRequestHandler, granting access to elements in CommonsMultipartRequestHandler and BeanUtils...

7.8CVSS7.2AI score0.54635EPSS
In wild
cve
cve
added 2014/04/30 10:0 a.m.466 views

CVE-2014-0114

The CVE-2014-0114 issue affects Apache Struts 1.x through 1.3.10 (and related products using commons-beanutils) where the ActionForm/ClassLoader handling could be manipulated via a class parameter passed to getClass, enabling remote code execution. The F5 advisory confirms the vulnerability impac...

7.5CVSS8.4AI score0.96121EPSS
Web
cve
cve
added 2020/12/16 1:5 a.m.322 views

CVE-2020-26258

CVE-2020-26258 is a Server-Side Forgery/SSRF via XStream unmarshalling in versions prior to 1.4.15. Public docs corroborate exploitation possible by crafted input streams to access internal resources, with Java 15+ mitigating the issue and a whitelist-based Security Framework recommended over the...

7.7CVSS8.1AI score0.82238EPSS
cve
cve
added 2016/07/04 10:0 p.m.168 views

CVE-2015-0899

CVE-2015-0899 affects Apache Struts 1.x (1.1–1.3.10) where the MultiPageValidator allows remote bypass of access restrictions via a modified page parameter. IBM advisories (IBM Library Support for Struts 1.3.16 remediation, and related IBM bulletins) confirm this family of vulnerabilities and lis...

7.5CVSS7.4AI score0.21261EPSS
cve
cve
added 2020/09/14 4:50 p.m.150 views

CVE-2019-0233

CVE-2019-0233 is an Apache Struts vulnerability (affecting Struts 2.0.0–2.5.20) where an access-permission override during file uploads can cause a Denial of Service. Exploitation requires a crafted request, and the impact is DoS during subsequent uploads. Remediation is to upgrade to a fixed Str...

7.5CVSS8.1AI score0.68761EPSS
cve
cve
added 2006/03/30 10:0 p.m.146 views

CVE-2006-1546

CVE-2006-1546 : Apache Struts 1.x before 1.2.9 is vulnerable to bypassing validation via a request param org.apache.struts.taglib.html.Constants.CANCEL, causing the action to be canceled but may not be detected by applications that skip isCancelled(). Affects Struts 1.x components and can lead to...

7.5CVSS6.3AI score0.06142EPSS
cve
cve
added 2014/04/29 10:0 a.m.131 views

CVE-2014-0112

Summary (facts from sources): CVE-2014-0112 affects Apache Struts 2.x where the ParametersInterceptor does not properly restrict access to the getClass method, enabling remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request. The F5 advisories confirm the v...

7.5CVSS7.3AI score0.98094EPSS
cve
cve
added 2023/06/14 7:50 a.m.130 views

CVE-2023-34396

CVE-2023-34396 affects Apache Struts; a DoS condition arises when processing multipart requests with non-file fields, allowing remote attackers to exhaust resources. The entry covers Struts up to 2.5.30 and 6.1.2, with remediation by upgrading to Struts 2.5.31 or 6.1.2.1 (or later). IBM security ...

7.5CVSS5.7AI score0.05467EPSS
cve
cve
added 2017/07/13 3:0 p.m.128 views

CVE-2017-9787

CVE-2017-9805 affects the Apache Struts 2 REST plugin, where the REST Plugin uses an XStreamHandler with an unfiltered XStream instance, enabling remote code execution via crafted XML data. Affected are Struts 2.x releases containing REST plugin: 2.5.x prior to 2.5.13 and 2.3.x prior to 2.3.34 (p...

7.5CVSS7.4AI score0.09711EPSS
cve
cve
added 2017/09/20 5:0 p.m.128 views

CVE-2017-9793

CVE-2017-9793 affects Apache Struts 2 REST plugin in 2.1.x and 2.3.x/2.5.x branches where an outdated XStream library is used, enabling DoS via a crafted XML payload during deserialization. The related connected sources corroborate a broader issue with the Struts REST plugin using XStream without...

7.5CVSS7.4AI score0.0902EPSS
cve
cve
added 2023/12/05 8:37 a.m.128 views

CVE-2023-41835

Apache Struts vulnerability CVE-2023-41835 arises from incomplete cleanup of the struts.multipart.saveDir after a denied multipart upload, enabling denial of service. IBM/Atlassian advisories confirm impact and list affected Struts versions and products (e.g., Struts 2.x; Struts 2.5.32, 6.1.2.2, ...

7.5CVSS7.3AI score0.06286EPSS
cve
cve
added 2017/09/20 5:0 p.m.126 views

CVE-2017-9804

CVE-2017-9805 affects Apache Struts 2 with the REST plugin that uses an XStreamHandler for XML deserialization without type filtering. The vulnerability allows remote code execution when processing crafted XML payloads. Affected versions are Apache Struts 2.x prior to 2.3.34 and 2.5.x prior to 2....

7.5CVSS6.4AI score0.99461EPSS
cve
cve
added 2014/04/29 10:0 a.m.121 views

CVE-2014-0113

The CVE-2014-0113 issue affects Apache Struts CookieInterceptor in Struts 2.x prior to 2.3.20 (and related advisories reference 2.3.16.2), where a wildcard cookiesName value allows access to getClass, enabling potential ClassLoader manipulation and remote code execution via a crafted request. Thi...

7.5CVSS7.3AI score0.78451EPSS
cve
cve
added 2018/03/27 9:0 p.m.114 views

CVE-2018-1327

CVE-2018-1327 affects the Apache Struts REST Plugin via the XStream deserialization path, enabling a remote DoS when a malicious XML payload is processed. The advisory chain shows that upgrading to Struts 2.5.16 and switching to the optional Jackson XML handler (or implementing a custom XML handl...

7.5CVSS7.4AI score0.09224EPSS
cve
cve
added 2017/08/29 3:0 p.m.84 views

CVE-2015-5209

CVE-2015-5209 affects Apache Struts 2.x and allows a remote attacker to gain unauthorized access by manipulating a special top-level object in Struts' ValueStack, enabling manipulation of internal settings and user sessions. Public advisories and IBM notices enumerate affected IBM products (IBM S...

7.5CVSS7.3AI score0.09063EPSS
cve
cve
added 2016/07/04 10:0 p.m.84 views

CVE-2016-4433

CVE-2016-4433 affects Apache Struts 2.2.3.20–2.3.28.1, where a crafted request can bypass access restrictions and trigger redirection attacks. Multiple connected sources (NVD description; IBM advisories for Struts-related products) confirm the same affected range and attack pattern. The provided ...

7.5CVSS7.7AI score0.10013EPSS
cve
cve
added 2015/07/16 2:0 p.m.82 views

CVE-2015-1831

CVE-2015-1831 concerns Apache Struts 2.3.20, where misleading default excludeParams could let an attacker alter an application’s internal state. IBM advisories list affected IBM storage platforms (FlashSystem 900/ V840/ V9000 and Storwize families) with fixes in specific code levels (e.g., FlashS...

7.5CVSS6.5AI score0.06312EPSS
cve
cve
added 2016/07/04 10:0 p.m.71 views

CVE-2016-4431

CVE-2016-4431 affects Apache Struts 2.2.3.20–2.3.28.1, allowing remote attackers to bypass access restrictions and perform redirection via the default action method. Multiple connected advisories identify this as an in-the-wild risk in various IBM FlashSystem products and related Struts deploymen...

7.5CVSS7.8AI score0.10013EPSS
cve
cve
added 2025/12/01 4:7 p.m.52 views

CVE-2025-64775

CVE-2025-64775 affects Apache Struts 2.x (2.0.0–6.7.0) and 7.0.0–7.0.3. The issue is a denial of service caused by a file leak in multipart request processing that can exhaust disk space. The available public details describe the impact as DoS and do not indicate exploitation specifics beyond the...

7.5CVSS6.5AI score0.01456EPSS