Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Apache Struts
- Search Type: Search All
- Match: Exact
- CPE Name Search: false
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2016-6795 |
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. Published: September 20, 2017; 1:29:00 PM -0400 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2017-9805 |
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. Published: September 15, 2017; 3:29:00 PM -0400 |
V3.0: 8.1 HIGH V2.0: 6.8 MEDIUM |
CVE-2015-5209 |
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. Published: August 29, 2017; 11:29:00 AM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-9787 |
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. Published: July 13, 2017; 11:29:00 AM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-7672 |
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12. Published: July 13, 2017; 11:29:00 AM -0400 |
V3.0: 5.9 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-9791 |
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. Published: July 10, 2017; 12:29:00 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2017-5638 |
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. Published: March 10, 2017; 9:59:00 PM -0500 |
V3.0: 10.0 CRITICAL V2.0: 10.0 HIGH |
CVE-2016-4436 |
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. Published: October 03, 2016; 11:59:01 AM -0400 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2016-4465 |
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. Published: July 04, 2016; 6:59:10 PM -0400 |
V3.0: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2016-4438 |
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Published: July 04, 2016; 6:59:09 PM -0400 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2016-4433 |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. Published: July 04, 2016; 6:59:07 PM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2016-4431 |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. Published: July 04, 2016; 6:59:06 PM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2016-4430 |
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. Published: July 04, 2016; 6:59:05 PM -0400 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2016-1182 |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. Published: July 04, 2016; 6:59:02 PM -0400 |
V3.0: 8.2 HIGH V2.0: 6.4 MEDIUM |
CVE-2016-1181 |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. Published: July 04, 2016; 6:59:01 PM -0400 |
V3.0: 8.1 HIGH V2.0: 6.8 MEDIUM |
CVE-2015-0899 |
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. Published: July 04, 2016; 6:59:00 PM -0400 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2016-3093 |
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. Published: June 07, 2016; 2:59:03 PM -0400 |
V3.0: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2016-3087 |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. Published: June 07, 2016; 2:59:02 PM -0400 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2016-3082 |
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. Published: April 26, 2016; 10:59:03 AM -0400 |
V3.0: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2016-3081 |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. Published: April 26, 2016; 10:59:02 AM -0400 |
V3.0: 8.1 HIGH V2.0: 9.3 HIGH |