CVSS: 5.3EPSS: 2%CPEs: 35EXPL: 0CVE-2012-4387
https://notcve.org/view.php?id=CVE-2012-4387
05 Sep 2012 — Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. Apache Struts v2.0.0 a través de v2.3.4 permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de un nombre de parámetro largo, que se procesa como una expresión OGNL ... • http://secunia.com/advisories/50420 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 50%CPEs: 1EXPL: 1CVE-2011-5057 – Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass
https://notcve.org/view.php?id=CVE-2011-5057
08 Jan 2012 — Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this repo... • https://www.exploit-db.com/exploits/36426 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 93%CPEs: 1EXPL: 3CVE-2012-0392 – Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0392
08 Jan 2012 — The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. El componente CookieInterceptor en Apache Struts antes de v2.3.1.1 no utiliza una lista blanca de nombres de parámetros, lo que permite a atacantes remotos ejecutar código de su elección a través de una cabecera de una Cookie HTTP debidamente modificada... • https://www.exploit-db.com/exploits/18329 •
CVSS: 6.5EPSS: 89%CPEs: 1EXPL: 4CVE-2012-0393 – Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0393
08 Jan 2012 — The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. El componente ParameterInterceptor en Apache Struts antes de la versión v2.3.1.1 no impide el acceso a los constructores públicos, lo que permite a atacantes remotos crear o sobreescribir archivos de su elección a través de un parámetro debidamente modificado... • https://www.exploit-db.com/exploits/18329 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 93%CPEs: 1EXPL: 5CVE-2012-0394 – Apache Struts - Developer Mode OGNL Execution
https://notcve.org/view.php?id=CVE-2012-0394
08 Jan 2012 — The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. ** CUESTIONADA ** El componente DebuggingInterceptor en Apache Struts antes de la versión v2.3.1.1, cuando se usa el modo desarrollador (developer), permite ejecutar comandos de su elección a atacantes remotos a través de vectores no especificados. N... • https://packetstorm.news/files/id/125020 • CWE-94: Improper Control of Generation of Code ('Code Injection') •