VYPR

Struts

by Apache

Source repositories

CVEs (85)

  • CVE-2015-5209HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.09

    Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

  • CVE-2016-1182HigJul 4, 2016
    risk 0.48cvss 8.2epss 0.26

    ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

  • CVE-2016-1181HigJul 4, 2016
    risk 0.47cvss 8.1epss 0.13

    ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to…

  • CVE-2017-9804HigSep 20, 2017
    risk 0.43cvss 7.5epss 0.10

    In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. …

  • CVE-2017-9787HigJul 13, 2017
    risk 0.43cvss 7.5epss 0.11

    When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

  • CVE-2016-4433HigJul 4, 2016
    risk 0.43cvss 7.5epss 0.10

    Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.

  • CVE-2016-4431HigJul 4, 2016
    risk 0.43cvss 7.5epss 0.10

    Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.

  • CVE-2018-1327HigMar 27, 2018
    risk 0.42cvss 7.5epss 0.09

    The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described…

  • CVE-2017-15707MedDec 1, 2017
    risk 0.41cvss 6.2epss 0.05

    In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

  • CVE-2015-5169MedSep 25, 2017
    risk 0.40cvss 6.1epss 0.08

    Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.

  • CVE-2017-7672MedJul 13, 2017
    risk 0.39cvss 5.9epss 0.09

    If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12.

  • CVE-2016-3093MedJun 7, 2016
    risk 0.35cvss 5.3epss 0.11

    Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

  • CVE-2016-4003MedApr 12, 2016
    risk 0.34cvss 6.1epss 0.12

    Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded…

  • CVE-2016-2162MedApr 12, 2016
    risk 0.33cvss 6.1epss 0.09

    Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

  • CVE-2016-8738MedSep 20, 2017
    risk 0.32cvss 5.9epss 0.03

    In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

  • CVE-2016-4465MedJul 4, 2016
    risk 0.28cvss 5.3epss 0.11

    The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

  • CVE-2020-17530KEVDec 11, 2020
    risk 0.23cvss epss 0.96

    Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

  • CVE-2018-11776HigKEVAug 22, 2018
    risk 0.16cvss 8.1epss 1.00

    Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no…

  • CVE-2014-0112Apr 29, 2014
    risk 0.11cvss epss 0.98

    ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete…

  • CVE-2011-3923Nov 1, 2019
    risk 0.10cvss epss 0.89

    Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.

Page 2 of 5