Apache

Struts

87 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2014-0114

  • EPSS 92.32%
  • Published 30.04.2014 10:49:03
  • Last modified 12.04.2025 10:46:40

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "m...

7.5

CVE-2014-0113

  • EPSS 87.22%
  • Published 29.04.2014 10:37:03
  • Last modified 12.04.2025 10:46:40

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a craf...

7.5

CVE-2014-0112

  • EPSS 91.66%
  • Published 29.04.2014 10:37:03
  • Last modified 12.04.2025 10:46:40

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability ex...

5

CVE-2014-0094

  • EPSS 93.08%
  • Published 11.03.2014 13:00:37
  • Last modified 12.04.2025 10:46:40

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

4.3

CVE-2013-6348

Exploit
  • EPSS 6.82%
  • Published 02.11.2013 21:55:04
  • Last modified 11.04.2025 00:51:21

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.

10

CVE-2013-4316

  • EPSS 7.17%
  • Published 30.09.2013 21:55:09
  • Last modified 11.04.2025 00:51:21

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

5.8

CVE-2013-4310

  • EPSS 13.09%
  • Published 30.09.2013 21:55:09
  • Last modified 11.04.2025 00:51:21

Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.

9.8

CVE-2013-2251

Warning Exploit
  • EPSS 94.23%
  • Published 20.07.2013 03:37:30
  • Last modified 11.04.2025 00:51:21

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

5.8

CVE-2013-2248

  • EPSS 93.52%
  • Published 20.07.2013 03:37:30
  • Last modified 11.04.2025 00:51:21

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.

9.3

CVE-2013-2135

  • EPSS 83.46%
  • Published 16.07.2013 18:55:01
  • Last modified 11.04.2025 00:51:21

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.