CVSS: 9.8EPSS: 2%CPEs: 55EXPL: 0CVE-2016-4436
https://notcve.org/view.php?id=CVE-2016-4436
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. Apache Struts 2 en versiones anteriores a 2.3.29 y 2.5.x en versiones anteriores a 2.5.1 permiten a atacantes tener impacto no especificado a través de vectores relacionados con la limpieza de un nombre de acción inapropiado. • http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.securityfocus.com/bid/91280 https://struts.apache.org/docs/s2-035.html •
CVSS: 5.3EPSS: 2%CPEs: 56EXPL: 0CVE-2016-3093
https://notcve.org/view.php?id=CVE-2016-3093
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. Apache Struts 2.0.0 hasta la versión 2.3.24.1 no cachea correctamente referencias al método cuando se utiliza con OGNL en versiones anteriores a 3.0.12, lo que permite a atacantes remotos provocar una denegación de servicio (bloqueo de acceso a sitio web) a través de vectores no especificados. • http://struts.apache.org/docs/s2-034.html http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www.securityfocus.com/bid/90961 http://www.securitytracker.com/id/1036018 https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 97%CPEs: 57EXPL: 2CVE-2016-3081 – Apache Struts - Dynamic Method Invocation Remote Code Execution
https://notcve.org/view.php?id=CVE-2016-3081
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. Apache Struts versiones 2.3.19 hasta 2.3.20.2, versiones 2.3.21 hasta 2.3.24.1 y versiones 2.3.25 hasta 2.3.28, cuando Dynamic Method Invocation está habilitado, permite a atacantes remotos ejecutar código arbitrario por medio del prefijo method:, relacionado con expresiones encadenadas. • https://www.exploit-db.com/exploits/39756 http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec http://www.rapid7.com/db/modules/explo • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 95%CPEs: 56EXPL: 0CVE-2016-3082
https://notcve.org/view.php?id=CVE-2016-3082
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. XSLTResult en Apache Struts 2.x en versiones anteriores a 2.3.20.2, 2.3.24.x en versiones anteriores a 2.3.24.2 y 2.3.28.x en versiones anteriores a 2.3.28.1 permite a atacantes remotos ejecutar código arbitrario a través del parámetro de hoja de cálculo location. • http://struts.apache.org/docs/s2-031.html http://www.securityfocus.com/bid/88826 http://www.securitytracker.com/id/1035664 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 23%CPEs: 56EXPL: 0CVE-2016-2162
https://notcve.org/view.php?id=CVE-2016-2162
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. Apache Struts 2.x en versiones anteriores a 2.3.25 no sanitiza el texto en el objeto Locale construído por I18NInterceptor, lo que podría permitir a atacantes remotos llevar a cabo ataques de XSS a través de vectores no especificados que implican la visualización de idioma. • http://struts.apache.org/docs/s2-030.html http://www.securityfocus.com/bid/85070 http://www.securitytracker.com/id/1035272 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •