Struts Security Vulnerabilities and Issues — Struts CVE List

Lucene search

ApacheStruts

6 matches found

CVE•added 2017/09/15 7:29 p.m.•1399 views

CVE-2017-9805

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

8.1CVSS8.4AI score0.9439EPSS

CVE•added 2016/07/04 10:59 p.m.•195 views

CVE-2016-1182

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

8.2CVSS7.8AI score0.86907EPSS

CVE•added 2016/07/04 10:59 p.m.•183 views

CVE-2016-1181

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.

8.1CVSS8.4AI score0.86907EPSS

CVE•added 2016/07/04 10:59 p.m.•77 views

CVE-2016-4430

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.

8.8CVSS8.5AI score0.03212EPSS

CVE•added 2019/12/05 9:15 p.m.•69 views

CVE-2012-1592

A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.

8.8CVSS8.8AI score0.00806EPSS

CVE•added 2017/10/30 2:29 p.m.•46 views

CVE-2016-3090

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.

8.8CVSS8.7AI score0.02858EPSS