Apache

Struts

90 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2016-3090

  • EPSS 2.86%
  • Veröffentlicht 30.10.2017 14:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.

9

CVE-2016-4461

  • EPSS 2.63%
  • Veröffentlicht 16.10.2017 16:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

6.1

CVE-2015-5169

  • EPSS 1.15%
  • Veröffentlicht 25.09.2017 21:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.

7.5

CVE-2017-9804

  • EPSS 12.07%
  • Veröffentlicht 20.09.2017 17:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when perfor...

7.5

CVE-2017-9793

  • EPSS 13.43%
  • Veröffentlicht 20.09.2017 17:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

9.8

CVE-2017-12611

Exploit
  • EPSS 94.23%
  • Veröffentlicht 20.09.2017 17:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

5.9

CVE-2016-8738

  • EPSS 0.6%
  • Veröffentlicht 20.09.2017 17:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the...

9.8

CVE-2016-6795

  • EPSS 12.48%
  • Veröffentlicht 20.09.2017 17:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

8.1

CVE-2017-9805

Warnung Exploit
  • EPSS 94.32%
  • Veröffentlicht 15.09.2017 19:29:00
  • Zuletzt bearbeitet 22.10.2025 00:16:12

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing X...

7.5

CVE-2015-5209

  • EPSS 3.63%
  • Veröffentlicht 29.08.2017 15:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.