Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Struts
(Apache)| Repositories | https://github.com/kawasima/struts1-forever |
| #Vulnerabilities | 84 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2014-12-10 | CVE-2014-7809 | Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | Struts | N/A | ||
| 2013-11-02 | CVE-2013-6348 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. | Struts | N/A | ||
| 2013-09-30 | CVE-2013-4316 | Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. | Struts, Flexcube_private_banking, Mysql_enterprise_monitor, Webcenter_sites | N/A | ||
| 2013-09-30 | CVE-2013-4310 | Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. | Struts | N/A | ||
| 2013-07-20 | CVE-2013-2248 | Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. | Struts | N/A | ||
| 2013-07-16 | CVE-2013-2135 | Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. | Struts | N/A | ||
| 2013-07-16 | CVE-2013-2134 | Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. | Struts | N/A | ||
| 2013-07-10 | CVE-2013-2115 | Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. | Struts | N/A | ||
| 2012-09-05 | CVE-2012-4387 | Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. | Struts | N/A | ||
| 2012-09-05 | CVE-2012-4386 | The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. | Struts | N/A |