CVSS: 6.8EPSS: 3%CPEs: 35EXPL: 0CVE-2012-4386
https://notcve.org/view.php?id=CVE-2012-4386
05 Sep 2012 — The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. El mecanismo de control token en Apache Struts v2.0.0 a través de v2.3.4 no valida correctamente el parámetro de configuración name permitiendo a atacantes remotos realizar ataques de falsificaciones de petición en sitios cru... • http://secunia.com/advisories/50420 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 2%CPEs: 35EXPL: 0CVE-2012-4387
https://notcve.org/view.php?id=CVE-2012-4387
05 Sep 2012 — Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. Apache Struts v2.0.0 a través de v2.3.4 permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de un nombre de parámetro largo, que se procesa como una expresión OGNL ... • http://secunia.com/advisories/50420 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 50%CPEs: 1EXPL: 1CVE-2011-5057 – Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass
https://notcve.org/view.php?id=CVE-2011-5057
08 Jan 2012 — Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this repo... • https://www.exploit-db.com/exploits/36426 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 93%CPEs: 1EXPL: 5CVE-2012-0394 – Apache Struts - Developer Mode OGNL Execution
https://notcve.org/view.php?id=CVE-2012-0394
08 Jan 2012 — The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. ** CUESTIONADA ** El componente DebuggingInterceptor en Apache Struts antes de la versión v2.3.1.1, cuando se usa el modo desarrollador (developer), permite ejecutar comandos de su elección a atacantes remotos a través de vectores no especificados. N... • https://packetstorm.news/files/id/125020 • CWE-94: Improper Control of Generation of Code ('Code Injection') •