CVSS: 7.5EPSS: 92%CPEs: 18EXPL: 5CVE-2014-0114 – Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0114
29 Apr 2014 — Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Apache Commons BeanUtils, según se distribuye en lib/commons-beanutils-1.... • https://packetstorm.news/files/id/149050 • CWE-20: Improper Input Validation CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 5.3EPSS: 93%CPEs: 1EXPL: 5CVE-2014-0094 – Apache Struts - ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0094
10 Mar 2014 — The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.16.2, permite a atacantes remotos "manipulate" el ClassLoader por medio del parámetro class, que se pasa al método getClass. VMware product updates address security vulnerabilities in Apache Struts library. • https://packetstorm.news/files/id/126445 •
CVSS: 4.3EPSS: 6%CPEs: 1EXPL: 3CVE-2013-6348
https://notcve.org/view.php?id=CVE-2013-6348
02 Nov 2013 — Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. Vulnerabilidades múltiples de Cross Site Scripting (XSS) en Apache Struts 2.3.15.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) parámetro de espacio de nombres actionNames.action y (2) showConfig.action en la configuración del nav... • http://en.wooyun.org/bugs/wooyun-2013-034?2592 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 9%CPEs: 45EXPL: 0CVE-2013-4310
https://notcve.org/view.php?id=CVE-2013-4310
30 Sep 2013 — Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. Apache Struts v2.0.0 hasta v2.3.15.1 permite a atacantes remotos evitar los controles de acceso a través de una acción manipulada: prefix. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 7%CPEs: 56EXPL: 0CVE-2013-4316
https://notcve.org/view.php?id=CVE-2013-4316
30 Sep 2013 — Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Apache Struts 2.0.0 hasta la versión 2.3.15.1 habilita por defecto Dynamic Method Invocation, lo cual tiene un impacto y vectores de ataque desconocidos. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html • CWE-16: Configuration CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 94%CPEs: 44EXPL: 6CVE-2013-2251 – Apache Struts Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2013-2251
18 Jul 2013 — Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. Apache Struts v2.0.0 hasta v2.3.15 permite a atacantes remotos ejecutar expresiones OGNL arbitrarias mediante un parámetro con una (1)acción:, (2) redirect:, o (3) redirectAction: Apache Archiva versions 1.3 through Continuum 1.3.6 and versions 1.2 through 1.2.2 are vulnerable to remote command execution. Apache Struts allo... • https://packetstorm.news/files/id/122796 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.8EPSS: 93%CPEs: 44EXPL: 2CVE-2013-2248 – Apache Struts 2.2.3 - Multiple Open Redirections
https://notcve.org/view.php?id=CVE-2013-2248
18 Jul 2013 — Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. Múltiples vulnerabilidades de redirección en Apache Struts v2.0.0 hasta v2.3.15 permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing mediante una URL en un parámetro usando (1) redirect: o (2) redirect... • https://packetstorm.news/files/id/122797 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 92%CPEs: 1EXPL: 1CVE-2013-2134 – Apache Struts - OGNL Expression Injection
https://notcve.org/view.php?id=CVE-2013-2134
16 Jul 2013 — Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. Apache Struts 2 anterior a 2.3.14.3 permite a atacantes remotos la ejecución arbitraria de código OGNL a través de peticiones con un nombre de acción manipulado que no es manejado correctamente durante la comparación de comodines. Vulnerabilidad distinta de CVE-2013-2135. Multiple v... • https://www.exploit-db.com/exploits/38549 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 90%CPEs: 1EXPL: 0CVE-2013-2135
https://notcve.org/view.php?id=CVE-2013-2135
16 Jul 2013 — Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. Apache Struts 2 anterior a v2.3.14.3 permite a atacantes remotos ejecutar código OGNL arbitrario mediante una solicitud con un valor especialmente diseñado que contiene las secuencias "${}" y "%{}", lo que produce que el código OGNL sea evaluado dos veces. • http://struts.apache.org/development/2.x/docs/s2-015.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 92%CPEs: 2EXPL: 1CVE-2013-1965
https://notcve.org/view.php?id=CVE-2013-1965
10 Jul 2013 — Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. Apache Struts Showcase App versiones 2.0.0 hasta 2.3.13, como es usado en Struts versiones 2 anteriores a 2.3.14.3, permite a atacantes remotos ejecutar código OGNL arbitrario por medio de un nombre de parámetro diseñado que no es manejado apropiadamente cuando se invoca un redirecciona... • https://github.com/cinno/CVE-2013-1965 • CWE-94: Improper Control of Generation of Code ('Code Injection') •