Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.
Max CVSS
7.5
EPSS Score
1.55%
Published
2006-03-30
Updated
2023-02-13

CVE-2006-1547

Known exploited
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Max CVSS
7.8
EPSS Score
1.42%
Published
2006-03-30
Updated
2017-07-20
CISA KEV Added
2022-01-21

CVE-2011-3923

Public exploit
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
Max CVSS
9.8
EPSS Score
94.95%
Published
2019-11-01
Updated
2019-12-02

CVE-2012-0391

Known exploited
Public exploit
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Max CVSS
9.3
EPSS Score
36.44%
Published
2012-01-08
Updated
2018-11-23
CISA KEV Added
2022-01-21
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Max CVSS
6.8
EPSS Score
94.96%
Published
2012-01-08
Updated
2021-03-05
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Max CVSS
6.4
EPSS Score
92.06%
Published
2012-01-08
Updated
2018-11-28

CVE-2012-0394

Public exploit
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
Max CVSS
6.8
EPSS Score
94.20%
Published
2012-01-08
Updated
2024-03-21
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Max CVSS
10.0
EPSS Score
1.89%
Published
2012-03-02
Updated
2018-12-07
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
Max CVSS
8.8
EPSS Score
0.22%
Published
2019-12-05
Updated
2023-02-13
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.
Max CVSS
6.8
EPSS Score
0.19%
Published
2012-09-05
Updated
2017-08-29
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Max CVSS
9.3
EPSS Score
0.81%
Published
2013-07-10
Updated
2019-08-12

CVE-2013-1966

Public exploit
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Max CVSS
9.3
EPSS Score
1.86%
Published
2013-07-10
Updated
2019-08-12

CVE-2013-2115

Public exploit
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Max CVSS
9.3
EPSS Score
0.22%
Published
2013-07-10
Updated
2020-09-24
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Max CVSS
9.3
EPSS Score
96.59%
Published
2013-07-16
Updated
2018-11-23
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Max CVSS
9.3
EPSS Score
95.74%
Published
2013-07-16
Updated
2018-11-23

CVE-2013-2251

Known exploited
Public exploit
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Max CVSS
9.3
EPSS Score
97.42%
Published
2013-07-20
Updated
2020-10-20
CISA KEV Added
2022-03-25
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
Max CVSS
10.0
EPSS Score
0.87%
Published
2013-09-30
Updated
2016-12-07

CVE-2014-0112

Public exploit
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Max CVSS
7.5
EPSS Score
97.40%
Published
2014-04-29
Updated
2019-08-12
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Max CVSS
7.5
EPSS Score
96.87%
Published
2014-04-29
Updated
2019-08-12

CVE-2014-0114

Public exploit
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Max CVSS
7.5
EPSS Score
97.31%
Published
2014-04-30
Updated
2023-02-13
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
Max CVSS
6.8
EPSS Score
0.19%
Published
2014-12-10
Updated
2018-10-09
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
Max CVSS
7.5
EPSS Score
94.91%
Published
2016-07-04
Updated
2018-07-01
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.
Max CVSS
7.5
EPSS Score
1.19%
Published
2015-07-16
Updated
2017-09-22
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
Max CVSS
6.1
EPSS Score
0.59%
Published
2020-02-27
Updated
2021-01-08
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
Max CVSS
6.1
EPSS Score
0.48%
Published
2017-09-25
Updated
2018-11-23
60 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!