CVSS: 9.0EPSS: 9%CPEs: 2EXPL: 0CVE-2016-0785
https://notcve.org/view.php?id=CVE-2016-0785
12 Apr 2016 — Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. Apache Struts 2.x en versiones anteriores a 2.3.28 permite a atacantes remotos ejecutar código arbitrario a través de una secuencia "%{}" en un atributo de etiqueta, también conocido como evaluación OGNL doble forzada. • http://struts.apache.org/docs/s2-029.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 19%CPEs: 56EXPL: 0CVE-2016-2162
https://notcve.org/view.php?id=CVE-2016-2162
12 Apr 2016 — Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. Apache Struts 2.x en versiones anteriores a 2.3.25 no sanitiza el texto en el objeto Locale construído por I18NInterceptor, lo que podría permitir a atacantes remotos llevar a cabo ataques de XSS a través de vectores no especificados que implican la visualización de idio... • http://struts.apache.org/docs/s2-030.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 51EXPL: 0CVE-2014-7809
https://notcve.org/view.php?id=CVE-2014-7809
10 Dec 2014 — Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. Apache Struts 2.0.0 hasta 2.3.x anterior a 2.3.20 utiliza valores previsibles, lo que permite a atacantes remotos evadir el mecanismo de protección CSRF. • http://packetstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.8EPSS: 1%CPEs: 50EXPL: 0CVE-2014-0116
https://notcve.org/view.php?id=CVE-2014-0116
08 May 2014 — CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. CookieInterceptor en Apache Struts versiones 2.x anteriores a 2.3.20, cuando un valor de cookiesName comodín es usado, no restringe apropiadamente el acceso al método ... • http://secunia.com/advisories/59816 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 97%CPEs: 1EXPL: 3CVE-2014-0112 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0112
29 Apr 2014 — ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.20, no restringe apropiadamente el acceso al método getClass, lo que permite a atacantes remotos "manipulate" el ClassLoader y ejecutar código ... • https://packetstorm.news/files/id/126445 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 92%CPEs: 1EXPL: 1CVE-2014-0113 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0113
29 Apr 2014 — CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. CookieInterceptor en Apache Struts versiones anteriores a 2.3.20, cuando un valor de cookiesName comodín es usado, no restringe correctamente el acceso al método getClas... • https://www.exploit-db.com/exploits/33142 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 96%CPEs: 1EXPL: 5CVE-2014-0094 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0094
10 Mar 2014 — The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.16.2, permite a atacantes remotos "manipulate" el ClassLoader por medio del parámetro class, que se pasa al método getClass. VMware product updates address security vulnerabilities in Apache Struts library. • https://packetstorm.news/files/id/126445 •
CVSS: 5.8EPSS: 2%CPEs: 45EXPL: 0CVE-2013-4310
https://notcve.org/view.php?id=CVE-2013-4310
30 Sep 2013 — Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. Apache Struts v2.0.0 hasta v2.3.15.1 permite a atacantes remotos evitar los controles de acceso a través de una acción manipulada: prefix. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 2%CPEs: 56EXPL: 0CVE-2013-4316
https://notcve.org/view.php?id=CVE-2013-4316
30 Sep 2013 — Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Apache Struts 2.0.0 hasta la versión 2.3.15.1 habilita por defecto Dynamic Method Invocation, lo cual tiene un impacto y vectores de ataque desconocidos. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html • CWE-16: Configuration CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 97%CPEs: 44EXPL: 6CVE-2013-2251 – Apache Struts Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2013-2251
18 Jul 2013 — Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. Apache Struts v2.0.0 hasta v2.3.15 permite a atacantes remotos ejecutar expresiones OGNL arbitrarias mediante un parámetro con una (1)acción:, (2) redirect:, o (3) redirectAction: Apache Archiva versions 1.3 through Continuum 1.3.6 and versions 1.2 through 1.2.2 are vulnerable to remote command execution. Apache Struts allo... • https://packetstorm.news/files/id/122796 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •