CVSS: 9.3EPSS: 92%CPEs: 1EXPL: 1CVE-2013-2134 – Apache Struts - OGNL Expression Injection
https://notcve.org/view.php?id=CVE-2013-2134
16 Jul 2013 — Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. Apache Struts 2 anterior a 2.3.14.3 permite a atacantes remotos la ejecución arbitraria de código OGNL a través de peticiones con un nombre de acción manipulado que no es manejado correctamente durante la comparación de comodines. Vulnerabilidad distinta de CVE-2013-2135. Multiple v... • https://www.exploit-db.com/exploits/38549 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 90%CPEs: 1EXPL: 0CVE-2013-2135
https://notcve.org/view.php?id=CVE-2013-2135
16 Jul 2013 — Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. Apache Struts 2 anterior a v2.3.14.3 permite a atacantes remotos ejecutar código OGNL arbitrario mediante una solicitud con un valor especialmente diseñado que contiene las secuencias "${}" y "%{}", lo que produce que el código OGNL sea evaluado dos veces. • http://struts.apache.org/development/2.x/docs/s2-015.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 92%CPEs: 2EXPL: 1CVE-2013-1965
https://notcve.org/view.php?id=CVE-2013-1965
10 Jul 2013 — Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. Apache Struts Showcase App versiones 2.0.0 hasta 2.3.13, como es usado en Struts versiones 2 anteriores a 2.3.14.3, permite a atacantes remotos ejecutar código OGNL arbitrario por medio de un nombre de parámetro diseñado que no es manejado apropiadamente cuando se invoca un redirecciona... • https://github.com/cinno/CVE-2013-1965 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 92%CPEs: 1EXPL: 2CVE-2013-1966 – Apache Struts - includeParams Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-1966
02 Jun 2013 — Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. Apache Struts versiones 2 anteriores a 2.3.14.2, permite a atacantes remotos ejecutar código OGNL arbitrario por medio de una petición diseñada que no es manejada apropiadamente cuando usa el atributo includeParams en la etiqueta (1) URL o (2) A. • https://packetstorm.news/files/id/121847 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 92%CPEs: 1EXPL: 2CVE-2013-2115 – Apache Struts - includeParams Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-2115
28 May 2013 — Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. Apache Struts 2 anterior a 2.3.14.2, permite a atacantes remotos ejecutar código OGNL a través de una petición manipulada que no es manejada adecuadamente cuando se usa el atributo includeParams en la (1)URL o la (2) etiqueta A. NOTA: esta cu... • https://packetstorm.news/files/id/121847 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 3%CPEs: 35EXPL: 0CVE-2012-4386
https://notcve.org/view.php?id=CVE-2012-4386
05 Sep 2012 — The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. El mecanismo de control token en Apache Struts v2.0.0 a través de v2.3.4 no valida correctamente el parámetro de configuración name permitiendo a atacantes remotos realizar ataques de falsificaciones de petición en sitios cru... • http://secunia.com/advisories/50420 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 2%CPEs: 35EXPL: 0CVE-2012-4387
https://notcve.org/view.php?id=CVE-2012-4387
05 Sep 2012 — Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. Apache Struts v2.0.0 a través de v2.3.4 permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de un nombre de parámetro largo, que se procesa como una expresión OGNL ... • http://secunia.com/advisories/50420 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 60%CPEs: 1EXPL: 0CVE-2012-0838
https://notcve.org/view.php?id=CVE-2012-0838
02 Mar 2012 — Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. Apache Struts 2 anteriores a 2.2.3.1 evalúa una cadena como una expresión OGNL durante el manejo de un error de conversión, lo que permite a atacantes remotos modificar valores de datos de tiempo de ejecución y, por lo tanto, ejecutar código arbitrario, a través d... • http://jvn.jp/en/jp/JVN79099262/index.html • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 50%CPEs: 1EXPL: 1CVE-2011-5057 – Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass
https://notcve.org/view.php?id=CVE-2011-5057
08 Jan 2012 — Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this repo... • https://www.exploit-db.com/exploits/36426 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 91%CPEs: 1EXPL: 5CVE-2012-0391 – Apache Struts 2 Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2012-0391
08 Jan 2012 — The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. El componente ExceptionDelegator en Apache Struts antes de v2.2.3.1 interpreta los valores de los parámetros como expresiones OGNL durante el manejo de determinadas excepciones en tipos de datos de propiedades no coincidentes, lo que perm... • https://www.exploit-db.com/exploits/18984 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •