National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:apache:struts:1.2.7
There are 26 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2015-5169

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.

Published: September 25, 2017; 05:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2016-1182

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

Published: July 04, 2016; 06:59:02 PM -04:00
V3: 8.2 HIGH
V2: 6.4 MEDIUM
CVE-2016-1181

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.

Published: July 04, 2016; 06:59:01 PM -04:00
V3: 8.1 HIGH
V2: 6.8 MEDIUM
CVE-2015-0899

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

Published: July 04, 2016; 06:59:00 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2016-4003

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

Published: April 12, 2016; 12:59:04 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2016-0785

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

Published: April 12, 2016; 12:59:00 PM -04:00
V3: 8.8 HIGH
V2: 9.0 HIGH
CVE-2014-0114

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Published: April 30, 2014; 06:49:03 AM -04:00
V2: 7.5 HIGH
CVE-2014-0113

CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Published: April 29, 2014; 06:37:03 AM -04:00
V2: 7.5 HIGH
CVE-2014-0112

ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Published: April 29, 2014; 06:37:03 AM -04:00
V2: 7.5 HIGH
CVE-2014-0094

The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

Published: March 11, 2014; 09:00:37 AM -04:00
V2: 5.0 MEDIUM
CVE-2013-2135

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.

Published: July 16, 2013; 02:55:01 PM -04:00
V2: 9.3 HIGH
CVE-2013-2134

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

Published: July 16, 2013; 02:55:01 PM -04:00
V2: 9.3 HIGH
CVE-2013-2115

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

Published: July 10, 2013; 03:55:04 PM -04:00
V2: 9.3 HIGH
CVE-2013-1966

Apache Struts 2 before 2.3.14.1 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.

Published: July 10, 2013; 03:55:04 PM -04:00
V2: 9.3 HIGH
CVE-2013-1965

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.1, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

Published: July 10, 2013; 03:55:04 PM -04:00
V2: 9.3 HIGH
CVE-2012-0838

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

Published: March 02, 2012; 05:55:01 PM -05:00
V2: 10.0 HIGH
CVE-2011-5057

Apache Struts 2.3.1.1 and earlier provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."

Published: January 08, 2012; 12:55:00 PM -05:00
V2: 5.0 MEDIUM
CVE-2012-0394

** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."

Published: January 08, 2012; 10:55:01 AM -05:00
V2: 6.8 MEDIUM
CVE-2012-0393

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

Published: January 08, 2012; 10:55:01 AM -05:00
V2: 6.4 MEDIUM
CVE-2012-0392

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

Published: January 08, 2012; 10:55:01 AM -05:00
V2: 9.3 HIGH