Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Struts
(Apache)| Repositories | https://github.com/kawasima/struts1-forever |
| #Vulnerabilities | 84 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2016-04-26 | CVE-2016-3082 | XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | Struts | 9.8 | ||
| 2016-04-12 | CVE-2016-2162 | Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | Struts | 6.1 | ||
| 2017-08-29 | CVE-2015-5209 | Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. | Struts | 7.5 | ||
| 2017-09-25 | CVE-2015-5169 | Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. | Struts | 6.1 | ||
| 2015-07-16 | CVE-2015-1831 | The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. | Struts | N/A | ||
| 2016-07-04 | CVE-2015-0899 | The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | Struts | 7.5 | ||
| 2014-12-10 | CVE-2014-7809 | Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | Struts | N/A | ||
| 2013-11-02 | CVE-2013-6348 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. | Struts | N/A | ||
| 2013-09-30 | CVE-2013-4316 | Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. | Struts, Flexcube_private_banking, Mysql_enterprise_monitor, Webcenter_sites | N/A | ||
| 2013-09-30 | CVE-2013-4310 | Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. | Struts | N/A |