Filtered by vendor Apache
Subscriptions
Filtered by product Struts
Subscriptions
Total
92 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-4436 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | ||||
| CVE-2016-4438 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. | ||||
| CVE-2016-3087 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. | ||||
| CVE-2016-1181 | 2 Apache, Oracle | 3 Struts, Banking Platform, Portal | 2025-04-12 | N/A |
| ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. | ||||
| CVE-2015-0899 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | ||||
| CVE-2016-0785 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. | ||||
| CVE-2014-7809 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | ||||
| CVE-2016-3081 | 2 Apache, Oracle | 2 Struts, Siebel E-billing | 2025-04-12 | N/A |
| Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. | ||||
| CVE-2014-0116 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. | ||||
| CVE-2014-0114 | 2 Apache, Redhat | 8 Commons Beanutils, Struts, Amq Broker and 5 more | 2025-04-12 | N/A |
| Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. | ||||
| CVE-2016-3082 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | ||||
| CVE-2012-0393 | 1 Apache | 1 Struts | 2025-04-11 | N/A |
| The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. | ||||
| CVE-2012-1007 | 1 Apache | 1 Struts | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do. | ||||
| CVE-2011-2087 | 1 Apache | 1 Struts | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler.java. | ||||
| CVE-2011-2088 | 2 Apache, Opensymphony | 3 Struts, Webwork, Xwork | 2025-04-11 | N/A |
| XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3. | ||||
| CVE-2011-5057 | 1 Apache | 1 Struts | 2025-04-11 | N/A |
| Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor." | ||||
| CVE-2012-0392 | 1 Apache | 1 Struts | 2025-04-11 | N/A |
| The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. | ||||
| CVE-2010-1870 | 1 Apache | 1 Struts | 2025-04-11 | N/A |
| The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. | ||||
| CVE-2012-0838 | 1 Apache | 1 Struts | 2025-04-11 | N/A |
| Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. | ||||
| CVE-2013-1965 | 1 Apache | 2 Struts, Struts2-showcase | 2025-04-11 | N/A |
| Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. | ||||