Vulnerabilities (CVE)

Vendor filter

Apache Subscribe

Product filter

Struts Subscribe

Filter

73 total CVE
CVE Vendors Products Updated CVSS
CVE-2016-0785 1 Apache 1 Struts 2019-08-23 9.0
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
CVE-2017-9805 1 Apache 1 Struts 2019-08-12 6.8
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when...
CVE-2017-9793 1 Apache 1 Struts 2019-08-12 5.0
The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
CVE-2017-9791 1 Apache 1 Struts 2019-08-12 7.5
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
CVE-2017-12611 1 Apache 1 Struts 2019-08-12 7.5
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
CVE-2016-6795 1 Apache 1 Struts 2019-08-12 7.5
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
CVE-2016-4438 1 Apache 1 Struts 2019-08-12 7.5
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
CVE-2016-3087 1 Apache 1 Struts 2019-08-12 7.5
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
CVE-2016-3081 2 Apache, Oracle 2 Struts, Siebel E-billing 2019-08-12 9.3
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
CVE-2014-0116 1 Apache 1 Struts 2019-08-12 5.8
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via...
CVE-2014-0113 1 Apache 1 Struts 2019-08-12 7.5
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a...
CVE-2014-0112 1 Apache 1 Struts 2019-08-12 7.5
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this...
CVE-2014-0094 1 Apache 1 Struts 2019-08-12 5.0
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
CVE-2013-1966 1 Apache 1 Struts 2019-08-12 9.3
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
CVE-2013-1965 1 Apache 2 Struts2-showcase, Struts 2019-08-12 9.3
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
CVE-2011-5057 1 Apache 1 Struts 2019-08-12 5.0
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted...
CVE-2014-0114 1 Apache 2 Commons Beanutils, Struts 2019-06-15 7.5
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers...
CVE-2016-4461 2 Apache, Netapp 2 Struts, Oncommand Balance 2019-05-01 9.0
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVE-2017-15707 3 Apache, Netapp, Oracle 12 Struts, Oncommand Balance, Agile Plm Framework and 9 more 2019-04-26 5.0
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
CVE-2016-1182 1 Apache 1 Struts 2019-04-23 6.4
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related...