CVSS: 9.8EPSS: 94%CPEs: 2EXPL: 2CVE-2011-3923 – Apache Struts - 'ParametersInterceptor' Remote Code Execution
https://notcve.org/view.php?id=CVE-2011-3923
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. Apache Struts versiones anteriores a 2.3.1.2, permite a atacantes remotos omitir las protecciones de seguridad en la clase ParameterInterceptor y ejecutar comandos arbitrarios. • https://www.exploit-db.com/exploits/24874 http://seclists.org/fulldisclosure/2014/Jul/38 http://www.exploit-db.com/exploits/24874 http://www.securityfocus.com/bid/51628 http://www.securitytracker.com/id?1026575 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3923 https://exchange.xforce.ibmcloud.com/vulnerabilities/72585 https://security-tracker.debian.org/tracker/CVE-2011-3923 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.8EPSS: 0%CPEs: 35EXPL: 0CVE-2012-4386
https://notcve.org/view.php?id=CVE-2012-4386
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. El mecanismo de control token en Apache Struts v2.0.0 a través de v2.3.4 no valida correctamente el parámetro de configuración name permitiendo a atacantes remotos realizar ataques de falsificaciones de petición en sitios cruzados (CSRF) estableciendo el parámetro name de la configuración simbólica a un atributo de sesión • http://secunia.com/advisories/50420 http://struts.apache.org/2.x/docs/s2-010.html http://www.openwall.com/lists/oss-security/2012/09/01/4 http://www.openwall.com/lists/oss-security/2012/09/01/5 http://www.securityfocus.com/bid/55346 https://exchange.xforce.ibmcloud.com/vulnerabilities/78182 https://issues.apache.org/jira/browse/WW-3858 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 1%CPEs: 35EXPL: 0CVE-2012-4387
https://notcve.org/view.php?id=CVE-2012-4387
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. Apache Struts v2.0.0 a través de v2.3.4 permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de un nombre de parámetro largo, que se procesa como una expresión OGNL ... • http://secunia.com/advisories/50420 http://struts.apache.org/2.x/docs/s2-011.html http://www.openwall.com/lists/oss-security/2012/09/01/4 http://www.openwall.com/lists/oss-security/2012/09/01/5 http://www.securityfocus.com/bid/55346 https://exchange.xforce.ibmcloud.com/vulnerabilities/78183 https://issues.apache.org/jira/browse/WW-3860 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2012-0838
https://notcve.org/view.php?id=CVE-2012-0838
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. Apache Struts 2 anteriores a 2.2.3.1 evalúa una cadena como una expresión OGNL durante el manejo de un error de conversión, lo que permite a atacantes remotos modificar valores de datos de tiempo de ejecución y, por lo tanto, ejecutar código arbitrario, a través de una entrada inválida de un campo. • http://jvn.jp/en/jp/JVN79099262/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2012-000012 http://struts.apache.org/2.3.1.2/docs/s2-007.html https://issues.apache.org/jira/browse/WW-3668 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 61%CPEs: 2EXPL: 1CVE-2012-1006 – Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1006
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders. Múltiples vulnerabilidades de ejecución de comandos en sitos cruzados (XSS) en Apache Struts v2.0.14 y v2.2.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) Name o (2) LastName en struts2-showcase/person/ editPerson.action, o (3) el parámetro ClientName a struts2-rest-showcase/orders. • https://www.exploit-db.com/exploits/18452 http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt http://secpod.org/blog/?p=450 http://www.securityfocus.com/bid/51902 https://exchange.xforce.ibmcloud.com/vulnerabilities/72888 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •