Maven package
org.apache.struts/struts-core
pkg:maven/org.apache.struts/struts-core
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-34396 | — | <= 1.3.10 | — | Jun 14, 2023 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater | ||
| CVE-2016-1182 | Hig | 8.2 | <= 1.3.10 | — | Jul 4, 2016 | ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. | |
| CVE-2016-1181 | Hig | 8.1 | <= 1.3.10 | — | Jul 4, 2016 | ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015 | |
| CVE-2015-0899 | Hig | 7.5 | >= 1.1, <= 1.3.10 | — | Jul 4, 2016 | The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | |
| CVE-2012-1007 | — | <= 1.3.10 | — | Feb 7, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) | ||
| CVE-2005-3745 | — | <= 1.2.7 | — | Nov 22, 2005 | Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message. |
- CVE-2023-34396Jun 14, 2023affected <= 1.3.10
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
- affected <= 1.3.10
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
- affected <= 1.3.10
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015
- affected >= 1.1, <= 1.3.10
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
- CVE-2012-1007Feb 7, 2012affected <= 1.3.10
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3)
- CVE-2005-3745Nov 22, 2005affected <= 1.2.7
Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.