Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Struts
(Apache)| Repositories | https://github.com/kawasima/struts1-forever |
| #Vulnerabilities | 84 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2013-07-10 | CVE-2013-1966 | Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. | Struts | N/A | ||
| 2013-07-10 | CVE-2013-1965 | Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. | Struts, Struts2\-Showcase | N/A | ||
| 2012-01-08 | CVE-2011-5057 | Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the... | Struts | N/A | ||
| 2017-12-01 | CVE-2017-15707 | In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | Struts, Oncommand_balance, Agile_plm_framework, Enterprise_manager_for_virtualization, Financial_services_hedge_management_and_ifrs_valuations, Financial_services_market_risk_measurement_and_management, Global_lifecycle_management_opatchauto, Jd_edwards_enterpriseone_tools, Retail_order_broker, Retail_xstore_point_of_service, Webcenter_portal, Weblogic_server | 6.2 | ||
| 2017-10-16 | CVE-2016-4461 | Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. | Struts, Oncommand_balance | 8.8 | ||
| 2017-09-20 | CVE-2017-9804 | In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. | Struts | 7.5 | ||
| 2017-09-20 | CVE-2016-8738 | In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. | Struts | 5.9 | ||
| 2016-07-04 | CVE-2016-4465 | The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. | Struts | 5.3 | ||
| 2016-10-03 | CVE-2016-4436 | Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | Struts | 9.8 | ||
| 2016-07-04 | CVE-2016-4433 | Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | Struts | 7.5 |