CVSS: 5.0EPSS: 97%CPEs: 1EXPL: 5CVE-2014-0094 – Apache Struts ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0094
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.16.2, permite a atacantes remotos "manipulate" el ClassLoader por medio del parámetro class, que se pasa al método getClass. • https://www.exploit-db.com/exploits/33142 https://www.exploit-db.com/exploits/41690 https://github.com/y0d3n/CVE-2014-0094 https://github.com/HasegawaTadamitsu/CVE-2014-0094-test-program-for-struts1 http://jvn.jp/en/jp/JVN19294237/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://secunia.com/advisories/56440 http://secunia.com/advisories/59178 http://struts.apache.org/release/2. •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2013-6348
https://notcve.org/view.php?id=CVE-2013-6348
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. Vulnerabilidades múltiples de Cross Site Scripting (XSS) en Apache Struts 2.3.15.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) parámetro de espacio de nombres actionNames.action y (2) showConfig.action en la configuración del navegador • http://en.wooyun.org/bugs/wooyun-2013-034?2592 http://osvdb.org/99047 http://osvdb.org/99048 http://packetstormsecurity.com/files/123805/Struts-2.3.15.3-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2013/Oct/244 http://www.securitytracker.com/id/1029266 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 56EXPL: 0CVE-2013-4316
https://notcve.org/view.php?id=CVE-2013-4316
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Apache Struts 2.0.0 hasta la versión 2.3.15.1 habilita por defecto Dynamic Method Invocation, lo cual tiene un impacto y vectores de ataque desconocidos. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html http://struts.apache.org/release/2.3.x/docs/s2-019.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.securityfocus.com/bid/64758 http://www.securitytracker.com/id/1029078 • CWE-16: Configuration CWE-284: Improper Access Control •
CVSS: 5.8EPSS: 1%CPEs: 45EXPL: 0CVE-2013-4310
https://notcve.org/view.php?id=CVE-2013-4310
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. Apache Struts v2.0.0 hasta v2.3.15.1 permite a atacantes remotos evitar los controles de acceso a través de una acción manipulada: prefix. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html http://archives.neohapsis.com/archives/bugtraq/2013-10/0083.html http://secunia.com/advisories/54919 http://secunia.com/advisories/56483 http://secunia.com/advisories/56492 http://struts.apache.org/release/2.3.x/docs/s2-018.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.securityfocus.com/bid/64758 http://www.securitytracker.com/id/1029077 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 96%CPEs: 44EXPL: 1CVE-2013-2248 – Apache Struts 2.2.3 - Multiple Open Redirections
https://notcve.org/view.php?id=CVE-2013-2248
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. Múltiples vulnerabilidades de redirección en Apache Struts v2.0.0 hasta v2.3.15 permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing mediante una URL en un parámetro usando (1) redirect: o (2) redirectAction: Struts2 suffers from an open redirection vulnerability. Versions 2.0.0 through 2.3.15 are affected. • https://www.exploit-db.com/exploits/38666 http://struts.apache.org/release/2.3.x/docs/s2-017.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.securityfocus.com/bid/61196 http://www.securityfocus.com/bid/64758 • CWE-20: Improper Input Validation •