Filtered by vendor Apache
Subscriptions
Filtered by product Struts
Subscriptions
Total
87 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2016-4438 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. | ||||
CVE-2016-4436 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | ||||
CVE-2016-4431 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. | ||||
CVE-2016-3082 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | ||||
CVE-2016-4433 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | ||||
CVE-2016-4465 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. | ||||
CVE-2015-0899 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | ||||
CVE-2016-1181 | 2 Apache, Oracle | 3 Struts, Banking Platform, Portal | 2025-04-12 | N/A |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. | ||||
CVE-2016-4003 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. | ||||
CVE-2014-0113 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. | ||||
CVE-2016-3081 | 2 Apache, Oracle | 2 Struts, Siebel E-billing | 2025-04-12 | N/A |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. | ||||
CVE-2014-0112 | 2 Apache, Redhat | 2 Struts, Jboss Fuse | 2025-04-12 | N/A |
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. | ||||
CVE-2014-0094 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. | ||||
CVE-2014-0114 | 2 Apache, Redhat | 8 Commons Beanutils, Struts, Amq Broker and 5 more | 2025-04-12 | N/A |
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. | ||||
CVE-2014-0116 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. | ||||
CVE-2014-7809 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | ||||
CVE-2016-0785 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. | ||||
CVE-2015-1831 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. | ||||
CVE-2016-3087 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. | ||||
CVE-2016-4430 | 1 Apache | 1 Struts | 2025-04-12 | N/A |
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. |