CVSS: 5.8EPSS: 4%CPEs: 50EXPL: 0CVE-2014-0116
https://notcve.org/view.php?id=CVE-2014-0116
08 May 2014 — CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. CookieInterceptor en Apache Struts versiones 2.x anteriores a 2.3.20, cuando un valor de cookiesName comodín es usado, no restringe apropiadamente el acceso al método ... • http://secunia.com/advisories/59816 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 92%CPEs: 1EXPL: 3CVE-2014-0112 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0112
29 Apr 2014 — ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.20, no restringe apropiadamente el acceso al método getClass, lo que permite a atacantes remotos "manipulate" el ClassLoader y ejecutar código ... • https://packetstorm.news/files/id/126445 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 88%CPEs: 1EXPL: 1CVE-2014-0113 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0113
29 Apr 2014 — CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. CookieInterceptor en Apache Struts versiones anteriores a 2.3.20, cuando un valor de cookiesName comodín es usado, no restringe correctamente el acceso al método getClas... • https://www.exploit-db.com/exploits/33142 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 93%CPEs: 1EXPL: 5CVE-2014-0094 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0094
10 Mar 2014 — The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.16.2, permite a atacantes remotos "manipulate" el ClassLoader por medio del parámetro class, que se pasa al método getClass. VMware product updates address security vulnerabilities in Apache Struts library. • https://packetstorm.news/files/id/126445 •
CVSS: 4.3EPSS: 6%CPEs: 1EXPL: 3CVE-2013-6348
https://notcve.org/view.php?id=CVE-2013-6348
02 Nov 2013 — Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. Vulnerabilidades múltiples de Cross Site Scripting (XSS) en Apache Struts 2.3.15.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) parámetro de espacio de nombres actionNames.action y (2) showConfig.action en la configuración del nav... • http://en.wooyun.org/bugs/wooyun-2013-034?2592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 93%CPEs: 1EXPL: 5CVE-2012-0394 – Apache Struts - Developer Mode OGNL Execution
https://notcve.org/view.php?id=CVE-2012-0394
08 Jan 2012 — The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. ** CUESTIONADA ** El componente DebuggingInterceptor en Apache Struts antes de la versión v2.3.1.1, cuando se usa el modo desarrollador (developer), permite ejecutar comandos de su elección a atacantes remotos a través de vectores no especificados. N... • https://packetstorm.news/files/id/125020 • CWE-94: Improper Control of Generation of Code ('Code Injection') •