Struts Security Vulnerabilities and Issues — Struts CVE List

Lucene search

ApacheStruts

10 matches found

CVE•added 2012/01/08 3:55 p.m.•1078 views

CVE-2012-0391

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

9.8CVSS8.5AI score0.90887EPSS

CVE•added 2012/01/08 3:55 p.m.•166 views

CVE-2012-0394

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.

6.8CVSS9.2AI score0.93732EPSS

CVE•added 2012/01/08 3:55 p.m.•129 views

CVE-2012-0392

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

6.8CVSS9.3AI score0.93052EPSS

CVE•added 2012/02/07 4:9 a.m.•98 views

CVE-2012-1007

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/pr...

4.3CVSS7.6AI score0.17686EPSS

CVE•added 2012/03/02 10:55 p.m.•79 views

CVE-2012-0838

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

10CVSS7.1AI score0.66942EPSS

CVE•added 2012/09/05 11:55 p.m.•68 views

CVE-2012-4387

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.

5CVSS6.5AI score0.19224EPSS

CVE•added 2012/09/05 11:55 p.m.•66 views

CVE-2012-4386

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

6.8CVSS6.7AI score0.08301EPSS

CVE•added 2012/01/08 3:55 p.m.•60 views

CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

6.4CVSS8.8AI score0.89246EPSS

CVE•added 2012/02/07 4:9 a.m.•59 views

CVE-2012-1006

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/order...

4.3CVSS5.6AI score0.83896EPSS

CVE•added 2012/01/08 5:55 p.m.•44 views

CVE-2011-5057

Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affec...

5CVSS8.8AI score0.69878EPSS