VYPR

Struts

by Apache

Source repositories

CVEs (85)

  • CVE-2017-5638CriKEVMar 11, 2017
    risk 0.86cvss 9.8epss 1.00

    The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type,…

  • CVE-2017-9791CriKEVJul 10, 2017
    risk 0.80cvss 9.8epss 0.99

    The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

  • CVE-2013-2251CriKEVJul 20, 2013
    risk 0.80cvss 9.8epss 1.00

    Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

  • CVE-2012-0391CriKEVJan 8, 2012
    risk 0.78cvss 9.8epss 0.75

    The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

  • CVE-2017-9805HigKEVSep 15, 2017
    risk 0.69cvss 8.1epss 0.99

    The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

  • CVE-2017-12611CriSep 20, 2017
    risk 0.67cvss 9.8epss 0.88

    In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

  • CVE-2016-3087CriJun 7, 2016
    risk 0.66cvss 9.8epss 0.81

    Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

  • CVE-2016-3082CriApr 26, 2016
    risk 0.65cvss 9.8epss 0.21

    XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

  • CVE-2006-1547HigKEVMar 30, 2006
    risk 0.65cvss 7.5epss 0.55

    ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides…

  • CVE-2016-3081HigApr 26, 2016
    risk 0.63cvss 8.1epss 0.94

    Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

  • CVE-2016-3090HigOct 30, 2017
    risk 0.58cvss 8.8epss 0.06

    The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.

  • CVE-2016-4461HigOct 16, 2017
    risk 0.58cvss 8.8epss 0.08

    Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

  • CVE-2016-4438CriJul 4, 2016
    risk 0.58cvss 9.8epss 0.17

    The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

  • CVE-2016-6795CriSep 20, 2017
    risk 0.57cvss 9.8epss 0.08

    In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

  • CVE-2016-4436CriOct 3, 2016
    risk 0.57cvss 9.8epss 0.07

    Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.

  • CVE-2013-2115HigJul 10, 2013
    risk 0.54cvss 8.1epss 0.73

    Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

  • CVE-2016-4430HigJul 4, 2016
    risk 0.51cvss 8.8epss 0.04

    Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.

  • CVE-2016-0785HigApr 12, 2016
    risk 0.51cvss 8.8epss 0.09

    Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

  • CVE-2015-0899HigJul 4, 2016
    risk 0.50cvss 7.5epss 0.21

    The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

  • CVE-2017-9793HigSep 20, 2017
    risk 0.49cvss 7.5epss 0.07

    The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

Page 1 of 5