Show filters
16 Total Results
Displaying 1-10 of 16
Sort by:
Attacker Value
Unknown

CVE-2016-3090

Disclosure Date: October 30, 2017 (last updated November 26, 2024)
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.
0
0
Attacker Value
Unknown

CVE-2017-12611

Disclosure Date: September 15, 2017 (last updated November 26, 2024)
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
0
0
Attacker Value
Unknown

CVE-2015-5209

Disclosure Date: August 29, 2017 (last updated November 26, 2024)
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
0
0
Attacker Value
Unknown

CVE-2016-4436

Disclosure Date: October 03, 2016 (last updated November 25, 2024)
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
0
0
Attacker Value
Unknown

CVE-2016-3093

Disclosure Date: June 07, 2016 (last updated November 25, 2024)
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
0
0
Attacker Value
Unknown

CVE-2016-3081

Disclosure Date: April 26, 2016 (last updated November 25, 2024)
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
0
0
Attacker Value
Unknown

CVE-2016-3082

Disclosure Date: April 26, 2016 (last updated November 25, 2024)
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
0
0
Attacker Value
Unknown

CVE-2016-2162

Disclosure Date: April 12, 2016 (last updated November 25, 2024)
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
0
0
Attacker Value
Unknown

CVE-2014-7809

Disclosure Date: December 10, 2014 (last updated October 05, 2023)
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
0
0
Attacker Value
Unknown

CVE-2014-0116

Disclosure Date: May 08, 2014 (last updated October 05, 2023)
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
0
0
View More Topics  Next >