CVSS: 7.5EPSS: 97%CPEs: 1EXPL: 3CVE-2014-0112 – Apache Struts ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0112
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.20, no restringe apropiadamente el acceso al método getClass, lo que permite a atacantes remotos "manipulate" el ClassLoader y ejecutar código arbitrario por medio de una petición diseñada. NOTA: esta vulnerabilidad se presenta debido a una corrección incompleta de CVE-2014-0094. • https://www.exploit-db.com/exploits/33142 https://www.exploit-db.com/exploits/41690 http://jvn.jp/en/jp/JVN19294237/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://secunia.com/advisories/59178 http://secunia.com/advisories/59500 http://www-01.ibm.com/support/docview.wss?uid=swg21676706 http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.securityfocus&# • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 97%CPEs: 1EXPL: 5CVE-2014-0094 – Apache Struts ClassLoader Manipulation Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-0094
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. ParametersInterceptor en Apache Struts versiones anteriores a 2.3.16.2, permite a atacantes remotos "manipulate" el ClassLoader por medio del parámetro class, que se pasa al método getClass. • https://www.exploit-db.com/exploits/33142 https://www.exploit-db.com/exploits/41690 https://github.com/y0d3n/CVE-2014-0094 https://github.com/HasegawaTadamitsu/CVE-2014-0094-test-program-for-struts1 http://jvn.jp/en/jp/JVN19294237/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://secunia.com/advisories/56440 http://secunia.com/advisories/59178 http://struts.apache.org/release/2. •
CVSS: 10.0EPSS: 0%CPEs: 56EXPL: 0CVE-2013-4316
https://notcve.org/view.php?id=CVE-2013-4316
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Apache Struts 2.0.0 hasta la versión 2.3.15.1 habilita por defecto Dynamic Method Invocation, lo cual tiene un impacto y vectores de ataque desconocidos. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html http://struts.apache.org/release/2.3.x/docs/s2-019.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.securityfocus.com/bid/64758 http://www.securitytracker.com/id/1029078 • CWE-16: Configuration CWE-284: Improper Access Control •
CVSS: 5.8EPSS: 1%CPEs: 45EXPL: 0CVE-2013-4310
https://notcve.org/view.php?id=CVE-2013-4310
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. Apache Struts v2.0.0 hasta v2.3.15.1 permite a atacantes remotos evitar los controles de acceso a través de una acción manipulada: prefix. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html http://archives.neohapsis.com/archives/bugtraq/2013-10/0083.html http://secunia.com/advisories/54919 http://secunia.com/advisories/56483 http://secunia.com/advisories/56492 http://struts.apache.org/release/2.3.x/docs/s2-018.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.securityfocus.com/bid/64758 http://www.securitytracker.com/id/1029077 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 96%CPEs: 44EXPL: 1CVE-2013-2248 – Apache Struts 2.2.3 - Multiple Open Redirections
https://notcve.org/view.php?id=CVE-2013-2248
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. Múltiples vulnerabilidades de redirección en Apache Struts v2.0.0 hasta v2.3.15 permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing mediante una URL en un parámetro usando (1) redirect: o (2) redirectAction: Struts2 suffers from an open redirection vulnerability. Versions 2.0.0 through 2.3.15 are affected. • https://www.exploit-db.com/exploits/38666 http://struts.apache.org/release/2.3.x/docs/s2-017.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.securityfocus.com/bid/61196 http://www.securityfocus.com/bid/64758 • CWE-20: Improper Input Validation •