10 matches found
CVE-2012-0391
CVE-2012-0391 affects Apache Struts 2 before 2.2.3.1, where the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types, enabling remote code execution via a crafted parameter. Multiple sources (CVE entry, CISA KEV, GHSA advis...
CVE-2012-0394
CVE-2012-0394 affects Apache Struts 2.x, specifically the DebuggingInterceptor component when Developer Mode is enabled. The IBM security bulletin consolidates multiple Struts CVEs and states that the vulnerable code related to CVE-2012-0394 is not in use in Order Management, lowering risk; the a...
CVE-2012-0392
CVE-2012-0392 affects Apache Struts: CookieInterceptor does not enforce a parameter-name whitelist, enabling remote code execution via a crafted HTTP Cookie header that can trigger Java code execution through a static method. The Nuclei template confirms this as part of the S2-008 family, describ...
CVE-2012-1007
CVE-2012-1007 is an XSS vulnerability in Apache Struts 1.3.10. The issue allows remote attackers to inject arbitrary scripts via (1) name in struts-examples/upload/upload-submit.do, or (2) message in struts-cookbook/processSimple.do, or (3) struts-cookbook/processDyna.do. The IBM/OSS sources iden...
CVE-2012-0838
CVE-2012-0838 affects Apache Struts 2 before 2.2.3.1, where an OGNL expression is evaluated during a conversion error, enabling a remote attacker to modify run-time data values and potentially execute arbitrary code. IBM security bulletins for Order Management (and related advisories) confirm the...
CVE-2012-4386
CVE-2012-4386 affects Apache Struts 2.x (2.0.0–2.3.4). The token check mechanism fails to validate the token name configuration parameter, enabling CSRF by setting the token name to a session attribute. Impact described in sources: cross-site request forgery with potential unauthorized actions wh...
CVE-2012-4387
CVE-2012-4387 is an Apache Struts DoS vulnerability: remote attacker can cause CPU exhaustion by sending a long parameter name that is processed as an OGNL expression. The issue affects Struts 2.0.0–2.3.4. In the connected IBM advisories, remediation centers on upgrading IBM Sterling Order Manage...
CVE-2012-1006
CVE-2012-1006 refers to multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3. The flaws allow remote attackers to inject arbitrary web script or HTML via parameters in the Struts2 showcase applications: (1) name, (2) lastName to struts2-showcase/person/editPerson....
CVE-2012-0393
CVE-2012-0393 concerns Apache Struts 2.x. The vulnerability lies in the ParameterInterceptor component not preventing access to public constructors, allowing a remote attacker to cause the creation of Java objects and thus “trigger” the creation or overwrite of arbitrary files via a crafted param...
CVE-2011-5057
CVE-2011-5057 affects Apache Struts 2.3.1.2 and earlier (2.3.19–2.3.23). The issue arises from interfaces such as SessionAware/RequestAware not properly restricting access to session/request collections, enabling a remote attacker to modify runtime data via crafted parameters. Vendor notes (and s...