CVSS: 6.1EPSS: 11%CPEs: 1EXPL: 0CVE-2016-4003
https://notcve.org/view.php?id=CVE-2016-4003
12 Apr 2016 — Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. Vulnerabilidad de XSS en la función URLDecoder en JRE en versiones anteriores a 1.8, tal y como se utiliza en Apache Struts 2.x en versiones anteriores a 2.3.28, cuando utiliza una codificación de página de un solo byte, per... • http://struts.apache.org/docs/s2-028.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 9%CPEs: 2EXPL: 0CVE-2016-0785
https://notcve.org/view.php?id=CVE-2016-0785
12 Apr 2016 — Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. Apache Struts 2.x en versiones anteriores a 2.3.28 permite a atacantes remotos ejecutar código arbitrario a través de una secuencia "%{}" en un atributo de etiqueta, también conocido como evaluación OGNL doble forzada. • http://struts.apache.org/docs/s2-029.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 19%CPEs: 56EXPL: 0CVE-2016-2162
https://notcve.org/view.php?id=CVE-2016-2162
12 Apr 2016 — Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. Apache Struts 2.x en versiones anteriores a 2.3.25 no sanitiza el texto en el objeto Locale construído por I18NInterceptor, lo que podría permitir a atacantes remotos llevar a cabo ataques de XSS a través de vectores no especificados que implican la visualización de idio... • http://struts.apache.org/docs/s2-030.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 51EXPL: 0CVE-2014-7809
https://notcve.org/view.php?id=CVE-2014-7809
10 Dec 2014 — Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. Apache Struts 2.0.0 hasta 2.3.x anterior a 2.3.20 utiliza valores previsibles, lo que permite a atacantes remotos evadir el mecanismo de protección CSRF. • http://packetstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.8EPSS: 1%CPEs: 50EXPL: 0CVE-2014-0116
https://notcve.org/view.php?id=CVE-2014-0116
08 May 2014 — CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. CookieInterceptor en Apache Struts versiones 2.x anteriores a 2.3.20, cuando un valor de cookiesName comodín es usado, no restringe apropiadamente el acceso al método ... • http://secunia.com/advisories/59816 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 97%CPEs: 1EXPL: 3CVE-2014-0112 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0112
29 Apr 2014 — ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.20, no restringe apropiadamente el acceso al método getClass, lo que permite a atacantes remotos "manipulate" el ClassLoader y ejecutar código ... • https://packetstorm.news/files/id/126445 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 92%CPEs: 1EXPL: 1CVE-2014-0113 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0113
29 Apr 2014 — CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. CookieInterceptor en Apache Struts versiones anteriores a 2.3.20, cuando un valor de cookiesName comodín es usado, no restringe correctamente el acceso al método getClas... • https://www.exploit-db.com/exploits/33142 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 96%CPEs: 1EXPL: 5CVE-2014-0094 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0094
10 Mar 2014 — The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.16.2, permite a atacantes remotos "manipulate" el ClassLoader por medio del parámetro class, que se pasa al método getClass. VMware product updates address security vulnerabilities in Apache Struts library. • https://packetstorm.news/files/id/126445 •
CVSS: 5.8EPSS: 2%CPEs: 45EXPL: 0CVE-2013-4310
https://notcve.org/view.php?id=CVE-2013-4310
30 Sep 2013 — Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. Apache Struts v2.0.0 hasta v2.3.15.1 permite a atacantes remotos evitar los controles de acceso a través de una acción manipulada: prefix. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 2%CPEs: 56EXPL: 0CVE-2013-4316
https://notcve.org/view.php?id=CVE-2013-4316
30 Sep 2013 — Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Apache Struts 2.0.0 hasta la versión 2.3.15.1 habilita por defecto Dynamic Method Invocation, lo cual tiene un impacto y vectores de ataque desconocidos. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html • CWE-16: Configuration CWE-284: Improper Access Control •