Filtered by vendor Apache
Subscriptions
Filtered by product Struts
Subscriptions
Total
92 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-15707 | 3 Apache, Netapp, Oracle | 12 Struts, Oncommand Balance, Agile Plm Framework and 9 more | 2025-04-20 | N/A |
| In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | ||||
| CVE-2015-5209 | 1 Apache | 1 Struts | 2025-04-20 | N/A |
| Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. | ||||
| CVE-2017-9793 | 1 Apache | 1 Struts | 2025-04-20 | N/A |
| The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. | ||||
| CVE-2017-9804 | 1 Apache | 1 Struts | 2025-04-20 | N/A |
| In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. | ||||
| CVE-2016-4461 | 2 Apache, Netapp | 2 Struts, Oncommand Balance | 2025-04-20 | N/A |
| Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. | ||||
| CVE-2017-9787 | 1 Apache | 1 Struts | 2025-04-20 | N/A |
| When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. | ||||
| CVE-2016-3090 | 1 Apache | 1 Struts | 2025-04-20 | N/A |
| The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. | ||||
| CVE-2017-7672 | 1 Apache | 1 Struts | 2025-04-20 | N/A |
| If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12. | ||||
| CVE-2014-0114 | 2 Apache, Redhat | 8 Commons Beanutils, Struts, Amq Broker and 5 more | 2025-04-12 | N/A |
| Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. | ||||
| CVE-2014-7809 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | ||||
| CVE-2016-4465 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. | ||||
| CVE-2015-1831 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. | ||||
| CVE-2016-4436 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | ||||
| CVE-2016-4433 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | ||||
| CVE-2014-0116 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. | ||||
| CVE-2014-0112 | 2 Apache, Redhat | 2 Struts, Jboss Fuse | 2025-04-12 | N/A |
| ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. | ||||
| CVE-2016-4431 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. | ||||
| CVE-2016-4430 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. | ||||
| CVE-2016-4003 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. | ||||
| CVE-2016-2162 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
| Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | ||||