Lucene search
K

16 matches found

CVE
CVE
added 2016/04/26 2:0 p.m.245 views

CVE-2016-3081

CVE-2016-3081 concerns Apache Struts 2.x where Dynamic Method Invocation (DMI) is enabled. Affected ranges include 2.3.19–2.3.20.2, 2.3.21–2.3.24.1, and 2.3.25–2.3.28; exploitation via the method: prefix with chained expressions allows remote code execution. Exploit references exist (e.g., Exploi...

9.3CVSS8.2AI score0.9373EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.227 views

CVE-2016-1182

CVE-2016-1182 is referenced in Jira issues JSWSERVER-26635/26636 and JSDSERVER-16462/16461, tying the vulnerability to ActionServlet.java in Apache Struts 1.x (1.3.10) with improper Validator configuration. Exploitation concerns remote code execution (RCE) and DoS, with CVSS scores around 8.x (RC...

8.2CVSS7.8AI score0.25737EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.226 views

CVE-2016-1181

CVE-2016-1181 affects Apache Struts 1.x (1.1–1.3.10) where ActionServlet.java mishandles multithreaded access to an ActionForm, allowing a remote attacker to execute arbitrary code or cause a denial of service via a multipart request (related to CVE-2015-0899). The NVD description explicitly ties...

8.1CVSS8.4AI score0.13122EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.174 views

CVE-2016-4438

CVE-2016-4438 affects Apache Struts 2 REST plugin. The REST plugin in Struts 2 versions 2.3.19 through 2.3.28.1 is vulnerable to remote code execution via a crafted OGNL expression due to improper handling of OGNL expressions. The vulnerability could allow an attacker to execute arbitrary code on...

9.8CVSS9.4AI score0.17171EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.168 views

CVE-2015-0899

CVE-2015-0899 affects Apache Struts 1.x (1.1–1.3.10) where the MultiPageValidator allows remote bypass of access restrictions via a modified page parameter. IBM advisories (IBM Library Support for Struts 1.3.16 remediation, and related IBM bulletins) confirm this family of vulnerabilities and lis...

7.5CVSS7.4AI score0.21261EPSS
CVE
CVE
added 2016/06/07 6:0 p.m.111 views

CVE-2016-3087

CVE-2016-3087 affects Apache Struts 2.x when Dynamic Method Invocation is enabled and the REST Plugin is used. The vulnerability allows remote code execution via vectors related to the ! (exclamation mark) operator. Affected versions include Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24...

9.8CVSS9.5AI score0.81087EPSS
CVE
CVE
added 2016/04/12 4:0 p.m.100 views

CVE-2016-4003

CVE-2016-4003 is a cross-site scripting (XSS) vulnerability in the URLDecoder component used by Apache Struts 2.x (pre-2.3.28) when a single-byte page encoding is assumed. An attacker can craft a URL-encoded parameter containing multi-byte characters to inject script/HTML in victims’ browsers. Th...

6.1CVSS5.9AI score0.11562EPSS
CVE
CVE
added 2016/04/12 4:0 p.m.97 views

CVE-2016-0785

CVE-2016-0785 affects Apache Struts 2.x; vulnerability arises from a double OGNL evaluation in tag attributes (forced OGNL). Affected versions include Struts 2.x before 2.3.29 (with references across IBM advisories and OSVs). Exploitation status is not detailed in the provided documents. Remediat...

9CVSS8.7AI score0.08812EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.95 views

CVE-2016-4430

CVE-2016-4430 affects Apache Struts 2.3.20–2.3.28.1, where token validation is mishandled, enabling remote CSRF attacks via unspecified vectors. Public sources in connected docs (IBM security advisories and the NVD entry) corroborate the CSRF impact and tie it to the same Struts versions. The vul...

8.8CVSS8.5AI score0.03801EPSS
CVE
CVE
added 2016/04/26 2:0 p.m.93 views

CVE-2016-3082

CVE-2016-3082 affects Apache Struts 2.x; using XSLTResult, remote code execution is possible via the stylesheet location parameter. Affected: 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1. Impact: arbitrary code execution on the server. Remediation: upgrade to patche...

10CVSS9.6AI score0.20167EPSS
CVE
CVE
added 2016/10/03 3:0 p.m.90 views

CVE-2016-4436

Summary of CVE-2016-4436 : Apache Struts 2 is affected by an unspecified impact vulnerability due to improper action name cleanup. The CVE entry covers versions 2.3. before 2.3.29 and 2.5.x before 2.5.1. Connected IBM and IBM-related advisories explicitly reference this CVE and reiterate that upg...

9.8CVSS8.5AI score0.06549EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.90 views

CVE-2016-4465

CVE-2016-4465 affects Apache Struts 2, specifically the URLValidator. Versions 2.3.20–2.3.28.1 and 2.5.x before 2.5.1 are vulnerable to denial of service when a null value is submitted for a URL field, due to improper validation. The issue is caused by URLValidator handling flaws that allow an un...

5.3CVSS5.3AI score0.10638EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.83 views

CVE-2016-4433

CVE-2016-4433 affects Apache Struts 2.2.3.20–2.3.28.1, where a crafted request can bypass access restrictions and trigger redirection attacks. Multiple connected sources (NVD description; IBM advisories for Struts-related products) confirm the same affected range and attack pattern. The provided ...

7.5CVSS7.7AI score0.10013EPSS
CVE
CVE
added 2016/06/07 6:0 p.m.81 views

CVE-2016-3093

CVE-2016-3093 affects Apache Struts 2.0.0–2.3.24.1. The vulnerability is due to improper caching of method references when OGNL is used, enabling a remote attacker to cause a denial of service (block access to a website). Several connected advisories corroborate the issue and label the impact as ...

5.3CVSS5.3AI score0.08667EPSS
CVE
CVE
added 2016/04/12 4:0 p.m.78 views

CVE-2016-2162

CVE-2016-2162 affects Apache Struts 2.x where the Locale object created by I18NInterceptor is not sanitized, enabling remote XSS via crafted language-display inputs. The described impact is XSS in the victim’s browser within the web site's context. Affected versions are Struts 2.x prior to 2.3.25...

6.1CVSS5.8AI score0.07987EPSS
CVE
CVE
added 2016/07/04 10:0 p.m.70 views

CVE-2016-4431

CVE-2016-4431 affects Apache Struts 2.2.3.20–2.3.28.1, allowing remote attackers to bypass access restrictions and perform redirection via the default action method. Multiple connected advisories identify this as an in-the-wild risk in various IBM FlashSystem products and related Struts deploymen...

7.5CVSS7.8AI score0.10013EPSS