16 matches found
CVE-2016-3081
CVE-2016-3081 concerns Apache Struts 2.x where Dynamic Method Invocation (DMI) is enabled. Affected ranges include 2.3.19–2.3.20.2, 2.3.21–2.3.24.1, and 2.3.25–2.3.28; exploitation via the method: prefix with chained expressions allows remote code execution. Exploit references exist (e.g., Exploi...
CVE-2016-1182
CVE-2016-1182 is referenced in Jira issues JSWSERVER-26635/26636 and JSDSERVER-16462/16461, tying the vulnerability to ActionServlet.java in Apache Struts 1.x (1.3.10) with improper Validator configuration. Exploitation concerns remote code execution (RCE) and DoS, with CVSS scores around 8.x (RC...
CVE-2016-1181
CVE-2016-1181 affects Apache Struts 1.x (1.1–1.3.10) where ActionServlet.java mishandles multithreaded access to an ActionForm, allowing a remote attacker to execute arbitrary code or cause a denial of service via a multipart request (related to CVE-2015-0899). The NVD description explicitly ties...
CVE-2016-4438
CVE-2016-4438 affects Apache Struts 2 REST plugin. The REST plugin in Struts 2 versions 2.3.19 through 2.3.28.1 is vulnerable to remote code execution via a crafted OGNL expression due to improper handling of OGNL expressions. The vulnerability could allow an attacker to execute arbitrary code on...
CVE-2015-0899
CVE-2015-0899 affects Apache Struts 1.x (1.1–1.3.10) where the MultiPageValidator allows remote bypass of access restrictions via a modified page parameter. IBM advisories (IBM Library Support for Struts 1.3.16 remediation, and related IBM bulletins) confirm this family of vulnerabilities and lis...
CVE-2016-3087
CVE-2016-3087 affects Apache Struts 2.x when Dynamic Method Invocation is enabled and the REST Plugin is used. The vulnerability allows remote code execution via vectors related to the ! (exclamation mark) operator. Affected versions include Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24...
CVE-2016-4003
CVE-2016-4003 is a cross-site scripting (XSS) vulnerability in the URLDecoder component used by Apache Struts 2.x (pre-2.3.28) when a single-byte page encoding is assumed. An attacker can craft a URL-encoded parameter containing multi-byte characters to inject script/HTML in victims’ browsers. Th...
CVE-2016-0785
CVE-2016-0785 affects Apache Struts 2.x; vulnerability arises from a double OGNL evaluation in tag attributes (forced OGNL). Affected versions include Struts 2.x before 2.3.29 (with references across IBM advisories and OSVs). Exploitation status is not detailed in the provided documents. Remediat...
CVE-2016-4430
CVE-2016-4430 affects Apache Struts 2.3.20–2.3.28.1, where token validation is mishandled, enabling remote CSRF attacks via unspecified vectors. Public sources in connected docs (IBM security advisories and the NVD entry) corroborate the CSRF impact and tie it to the same Struts versions. The vul...
CVE-2016-3082
CVE-2016-3082 affects Apache Struts 2.x; using XSLTResult, remote code execution is possible via the stylesheet location parameter. Affected: 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1. Impact: arbitrary code execution on the server. Remediation: upgrade to patche...
CVE-2016-4436
Summary of CVE-2016-4436 : Apache Struts 2 is affected by an unspecified impact vulnerability due to improper action name cleanup. The CVE entry covers versions 2.3. before 2.3.29 and 2.5.x before 2.5.1. Connected IBM and IBM-related advisories explicitly reference this CVE and reiterate that upg...
CVE-2016-4465
CVE-2016-4465 affects Apache Struts 2, specifically the URLValidator. Versions 2.3.20–2.3.28.1 and 2.5.x before 2.5.1 are vulnerable to denial of service when a null value is submitted for a URL field, due to improper validation. The issue is caused by URLValidator handling flaws that allow an un...
CVE-2016-4433
CVE-2016-4433 affects Apache Struts 2.2.3.20–2.3.28.1, where a crafted request can bypass access restrictions and trigger redirection attacks. Multiple connected sources (NVD description; IBM advisories for Struts-related products) confirm the same affected range and attack pattern. The provided ...
CVE-2016-3093
CVE-2016-3093 affects Apache Struts 2.0.0–2.3.24.1. The vulnerability is due to improper caching of method references when OGNL is used, enabling a remote attacker to cause a denial of service (block access to a website). Several connected advisories corroborate the issue and label the impact as ...
CVE-2016-2162
CVE-2016-2162 affects Apache Struts 2.x where the Locale object created by I18NInterceptor is not sanitized, enabling remote XSS via crafted language-display inputs. The described impact is XSS in the victim’s browser within the web site's context. Affected versions are Struts 2.x prior to 2.3.25...
CVE-2016-4431
CVE-2016-4431 affects Apache Struts 2.2.3.20–2.3.28.1, allowing remote attackers to bypass access restrictions and perform redirection via the default action method. Multiple connected advisories identify this as an in-the-wild risk in various IBM FlashSystem products and related Struts deploymen...