CVE ID: CVE-2017-9791
Assigner: apache
Date Published: 2017-07-07T00:00:00
Affected Products:
- Apache Software Foundation Apache Struts: From (including) 2.1.x series
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
.
CVE ID: CVE-2018-11776
Assigner: apache
Date Published: 2018-08-22T00:00:00
Affected Products:
- Apache Software Foundation Apache Struts: From (including) 2.3 to 2.3.34
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time
, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. .
CVE ID: CVE-2011-3923
Assigner: Chrome
Date Published: 2019-11-01T13:57:37
Affected Products:
- Apache Struts: From (including) 2.3.1.2
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
.
CVE ID: CVE-2020-17530
Assigner: apache
Date Published: 2020-12-11T01:11:04
Affected Products:
- Apache Software Foundation Apache Struts: From (including) Struts 2.0.0 - Struts 2.5.25
Forced OGNL evaluation
, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. .
CVE ID: CVE-2013-6348
Assigner: mitre
Date Published: 2013-11-02T21:00:00
Affected Products:
- n/a n/a: From (including) n/a
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.
.
CVE ID: CVE-2017-5638
Assigner: apache
Date Published: 2017-03-11T02:11:00
Affected Products:
- Apache Software Foundation Apache Struts: From (including) 2.3.x before 2.3.32
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts
, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. .
CVE ID: CVE-2016-4438
Assigner: redhat
Date Published: 2016-07-04T22:00:00
Affected Products:
- n/a n/a: From (including) n/a
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
.
CVE ID: CVE-2016-1181
Assigner: jpcert
Date Published: 2016-07-04T22:00:00
Affected Products:
- n/a n/a: From (including) n/a
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance
, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. .
CVE ID: CVE-2013-4310
Assigner: redhat
Date Published: 2013-09-30T21:00:00
Affected Products:
- n/a n/a: From (including) n/a
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
.
CVE ID: CVE-2012-1592
Assigner: redhat
Date Published: 2019-12-05T20:57:22
Affected Products:
- libstruts1.2-java libstruts1.2-java: From (including) 1.2-
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files
, which could let a malicious user upload and execute arbitrary files. .