Apache

Struts

87 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2016-3093

  • EPSS 5.26%
  • Published 07.06.2016 18:59:03
  • Last modified 12.04.2025 10:46:40

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

9.8

CVE-2016-3087

  • EPSS 86.54%
  • Published 07.06.2016 18:59:02
  • Last modified 12.04.2025 10:46:40

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

10

CVE-2016-3082

  • EPSS 30.24%
  • Published 26.04.2016 14:59:03
  • Last modified 12.04.2025 10:46:40

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

9.3

CVE-2016-3081

Exploit
  • EPSS 94.04%
  • Published 26.04.2016 14:59:02
  • Last modified 12.04.2025 10:46:40

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

6.1

CVE-2016-4003

  • EPSS 3.4%
  • Published 12.04.2016 16:59:04
  • Last modified 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte c...

6.1

CVE-2016-2162

  • EPSS 6.53%
  • Published 12.04.2016 16:59:01
  • Last modified 12.04.2025 10:46:40

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

9

CVE-2016-0785

  • EPSS 32.72%
  • Published 12.04.2016 16:59:00
  • Last modified 12.04.2025 10:46:40

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

7.5

CVE-2015-1831

  • EPSS 6.01%
  • Published 16.07.2015 14:59:00
  • Last modified 12.04.2025 10:46:40

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.

6.8

CVE-2014-7809

  • EPSS 12.47%
  • Published 10.12.2014 15:59:01
  • Last modified 12.04.2025 10:46:40

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

5.8

CVE-2014-0116

  • EPSS 4.89%
  • Published 08.05.2014 10:55:02
  • Last modified 12.04.2025 10:46:40

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a cr...