Lucene search
K

10 matches found

CVE
CVE
added 2012/01/08 3:0 p.m.1146 views

CVE-2012-0391

CVE-2012-0391 affects Apache Struts 2 before 2.2.3.1, where the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types, enabling remote code execution via a crafted parameter. Multiple sources (CVE entry, CISA KEV, GHSA advis...

9.8CVSS8.5AI score0.75071EPSS
In wildWeb
CVE
CVE
added 2012/01/08 3:0 p.m.201 views

CVE-2012-0394

CVE-2012-0394 affects Apache Struts 2.x, specifically the DebuggingInterceptor component when Developer Mode is enabled. The IBM security bulletin consolidates multiple Struts CVEs and states that the vulnerable code related to CVE-2012-0394 is not in use in Order Management, lowering risk; the a...

6.8CVSS9.2AI score0.74405EPSS
Web
CVE
CVE
added 2012/01/08 3:0 p.m.175 views

CVE-2012-0392

CVE-2012-0392 affects Apache Struts: CookieInterceptor does not enforce a parameter-name whitelist, enabling remote code execution via a crafted HTTP Cookie header that can trigger Java code execution through a static method. The Nuclei template confirms this as part of the S2-008 family, describ...

6.8CVSS9.3AI score0.96787EPSS
CVE
CVE
added 2012/02/07 2:0 a.m.122 views

CVE-2012-1007

CVE-2012-1007 is an XSS vulnerability in Apache Struts 1.3.10. The issue allows remote attackers to inject arbitrary scripts via (1) name in struts-examples/upload/upload-submit.do, or (2) message in struts-cookbook/processSimple.do, or (3) struts-cookbook/processDyna.do. The IBM/OSS sources iden...

4.3CVSS7.6AI score0.33937EPSS
Web
CVE
CVE
added 2012/03/02 10:0 p.m.106 views

CVE-2012-0838

CVE-2012-0838 affects Apache Struts 2 before 2.2.3.1, where an OGNL expression is evaluated during a conversion error, enabling a remote attacker to modify run-time data values and potentially execute arbitrary code. IBM security bulletins for Order Management (and related advisories) confirm the...

10CVSS7.1AI score0.1388EPSS
CVE
CVE
added 2012/09/05 11:0 p.m.84 views

CVE-2012-4386

CVE-2012-4386 affects Apache Struts 2.x (2.0.0–2.3.4). The token check mechanism fails to validate the token name configuration parameter, enabling CSRF by setting the token name to a session attribute. Impact described in sources: cross-site request forgery with potential unauthorized actions wh...

6.8CVSS6.7AI score0.03333EPSS
CVE
CVE
added 2012/09/05 11:0 p.m.82 views

CVE-2012-4387

CVE-2012-4387 is an Apache Struts DoS vulnerability: remote attacker can cause CPU exhaustion by sending a long parameter name that is processed as an OGNL expression. The issue affects Struts 2.0.0–2.3.4. In the connected IBM advisories, remediation centers on upgrading IBM Sterling Order Manage...

5CVSS6.5AI score0.08353EPSS
CVE
CVE
added 2012/02/07 2:0 a.m.80 views

CVE-2012-1006

CVE-2012-1006 refers to multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3. The flaws allow remote attackers to inject arbitrary web script or HTML via parameters in the Struts2 showcase applications: (1) name, (2) lastName to struts2-showcase/person/editPerson....

4.3CVSS5.6AI score0.58476EPSS
Web
CVE
CVE
added 2012/01/08 3:0 p.m.77 views

CVE-2012-0393

CVE-2012-0393 concerns Apache Struts 2.x. The vulnerability lies in the ParameterInterceptor component not preventing access to public constructors, allowing a remote attacker to cause the creation of Java objects and thus “trigger” the creation or overwrite of arbitrary files via a crafted param...

6.4CVSS8.8AI score0.38261EPSS
CVE
CVE
added 2012/01/08 5:0 p.m.63 views

CVE-2011-5057

CVE-2011-5057 affects Apache Struts 2.3.1.2 and earlier (2.3.19–2.3.23). The issue arises from interfaces such as SessionAware/RequestAware not properly restricting access to session/request collections, enabling a remote attacker to modify runtime data via crafted parameters. Vendor notes (and s...

5CVSS8.8AI score0.28628EPSS