CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2016-4430
https://notcve.org/view.php?id=CVE-2016-4430
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. Apache Struts 2 2.3.20 hasta la versión 2.3.28.1 no maneja adecuadamente la validación del token, lo que permite a atacantes remotos llevar a cabo ataques CSRF a través de vectores no especificados. • http://jvn.jp/en/jp/JVN45093481/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000111 http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.securityfocus.com/bid/91281 https://bugzilla.redhat.com/show_bug.cgi?id=1348249 https://struts.apache.org/docs/s2-038.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2016-4433
https://notcve.org/view.php?id=CVE-2016-4433
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. Apache Struts 2 2.3.20 hasta la versión 2.3.28.1 permite a atacantes remotos eludir las restricciones destinadas al acceso y llevar a cabo ataques de redirección a través de una petición manipulada. • http://jvn.jp/en/jp/JVN45093481/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000112 http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.securityfocus.com/bid/91282 https://bugzilla.redhat.com/show_bug.cgi?id=1348251 https://struts.apache.org/docs/s2-039.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2016-4431
https://notcve.org/view.php?id=CVE-2016-4431
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. Apache Struts 2 2.3.20 hasta la versión 2.3.28.1 permite a atacantes remotos eludir las restricciones destinadas al acceso y llevar a cabo ataques de redirección aprovechando un método por defecto. • http://jvn.jp/en/jp/JVN45093481/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000113 http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.securityfocus.com/bid/91284 https://bugzilla.redhat.com/show_bug.cgi?id=1348252 https://struts.apache.org/docs/s2-040.html • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 95%CPEs: 12EXPL: 0CVE-2016-4465
https://notcve.org/view.php?id=CVE-2016-4465
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. La clase URLValidator en Apache Struts 2 2.3.20 hasta la versión 2.3.28.1 y 2.5.x en versiones anteriores a 2.5.1 permite a atacantes remotos provocar una denegación de servicio a través de un valor nulo para un campo URL. • http://jvn.jp/en/jp/JVN12352818/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114 http://www-01.ibm.com/support/docview.wss?uid=swg21987854 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.securityfocus.com/bid/91278 https://bugzilla.redhat.com/show_bug.cgi?id=1348253 https://struts.apache.org/docs/s2-041.html • CWE-20: Improper Input Validation •
CVSS: 8.2EPSS: 42%CPEs: 28EXPL: 0CVE-2016-1182
https://notcve.org/view.php?id=CVE-2016-1182
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. ActionServlet.java en Apache Struts 1 1.x hasta la versión 1.3.10 no restringe adecuadamente la configuración Validator, lo que permite a atacantes remotos llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) o provocar una denegación de servicio a través de una entrada manipulada, un problema relacionado con CVE-2015-0899. • http://jvn.jp/en/jp/JVN65044642/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097 http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/security- • CWE-20: Improper Input Validation •