Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Struts
(Apache)| Repositories | https://github.com/kawasima/struts1-forever |
| #Vulnerabilities | 84 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2016-07-04 | CVE-2016-4431 | Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. | Struts | 7.5 | ||
| 2016-07-04 | CVE-2016-4430 | Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. | Struts | 8.8 | ||
| 2016-04-12 | CVE-2016-4003 | Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. | Struts | 6.1 | ||
| 2017-10-30 | CVE-2016-3090 | The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. | Struts | 8.8 | ||
| 2016-04-26 | CVE-2016-3082 | XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | Struts | 9.8 | ||
| 2016-04-12 | CVE-2016-2162 | Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | Struts | 6.1 | ||
| 2017-08-29 | CVE-2015-5209 | Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. | Struts | 7.5 | ||
| 2017-09-25 | CVE-2015-5169 | Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. | Struts | 6.1 | ||
| 2015-07-16 | CVE-2015-1831 | The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. | Struts | N/A | ||
| 2016-07-04 | CVE-2015-0899 | The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | Struts | 7.5 |