CVSS: 9.8EPSS: 52%CPEs: 5EXPL: 2CVE-2016-3087 – Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution
https://notcve.org/view.php?id=CVE-2016-3087
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin. Apache Struts versiones 2.3.19 hasta 2.3.20.2, versiones 2.3.21 hasta 2.3.24.1 y versiones 2.3.25 hasta 2.3.28, cuando Dynamic Method Invocation está habilitado, permite a atacantes remotos ejecutar código arbitrario por medio de vectores relacionados con un operador ! (signo de exclamación) en el Plugin REST. • https://www.exploit-db.com/exploits/39919 https://www.exploit-db.com/exploits/43382 http://struts.apache.org/docs/s2-033.html http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www.securityfocus.com/bid/90960 http://www.securitytracker.com/id/1036017 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 95%CPEs: 56EXPL: 0CVE-2016-3082
https://notcve.org/view.php?id=CVE-2016-3082
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. XSLTResult en Apache Struts 2.x en versiones anteriores a 2.3.20.2, 2.3.24.x en versiones anteriores a 2.3.24.2 y 2.3.28.x en versiones anteriores a 2.3.28.1 permite a atacantes remotos ejecutar código arbitrario a través del parámetro de hoja de cálculo location. • http://struts.apache.org/docs/s2-031.html http://www.securityfocus.com/bid/88826 http://www.securitytracker.com/id/1035664 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 97%CPEs: 57EXPL: 2CVE-2016-3081 – Apache Struts - Dynamic Method Invocation Remote Code Execution
https://notcve.org/view.php?id=CVE-2016-3081
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. Apache Struts versiones 2.3.19 hasta 2.3.20.2, versiones 2.3.21 hasta 2.3.24.1 y versiones 2.3.25 hasta 2.3.28, cuando Dynamic Method Invocation está habilitado, permite a atacantes remotos ejecutar código arbitrario por medio del prefijo method:, relacionado con expresiones encadenadas. • https://www.exploit-db.com/exploits/39756 http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec http://www.rapid7.com/db/modules/explo • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •