CVSS: 4.3EPSS: 61%CPEs: 2EXPL: 1CVE-2012-1006 – Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1006
07 Feb 2012 — Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders. Múltiples vulnerabilidades de ejecución de comandos en sitos cruzados (XSS) en Apache Struts v2.0.14 y v2.2.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1... • https://www.exploit-db.com/exploits/18452 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 1CVE-2011-5057 – Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass
https://notcve.org/view.php?id=CVE-2011-5057
08 Jan 2012 — Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this repo... • https://www.exploit-db.com/exploits/36426 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 94%CPEs: 1EXPL: 5CVE-2012-0394 – Apache Struts - Developer Mode OGNL Execution
https://notcve.org/view.php?id=CVE-2012-0394
08 Jan 2012 — The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. ** CUESTIONADA ** El componente DebuggingInterceptor en Apache Struts antes de la versión v2.3.1.1, cuando se usa el modo desarrollador (developer), permite ejecutar comandos de su elección a atacantes remotos a través de vectores no especificados. N... • https://packetstorm.news/files/id/125020 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 87%CPEs: 1EXPL: 4CVE-2012-0393 – Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0393
08 Jan 2012 — The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. El componente ParameterInterceptor en Apache Struts antes de la versión v2.3.1.1 no impide el acceso a los constructores públicos, lo que permite a atacantes remotos crear o sobreescribir archivos de su elección a través de un parámetro debidamente modificado... • https://www.exploit-db.com/exploits/18329 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 96%CPEs: 1EXPL: 3CVE-2012-0392 – Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0392
08 Jan 2012 — The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. El componente CookieInterceptor en Apache Struts antes de v2.3.1.1 no utiliza una lista blanca de nombres de parámetros, lo que permite a atacantes remotos ejecutar código de su elección a través de una cabecera de una Cookie HTTP debidamente modificada... • https://www.exploit-db.com/exploits/18329 •
CVSS: 9.8EPSS: 14%CPEs: 1EXPL: 5CVE-2012-0391 – Apache Struts 2 Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2012-0391
08 Jan 2012 — The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. El componente ExceptionDelegator en Apache Struts antes de v2.2.3.1 interpreta los valores de los parámetros como expresiones OGNL durante el manejo de determinadas excepciones en tipos de datos de propiedades no coincidentes, lo que perm... • https://www.exploit-db.com/exploits/18984 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 8%CPEs: 28EXPL: 1CVE-2011-2087
https://notcve.org/view.php?id=CVE-2011-2087
13 May 2011 — Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler... • http://struts.apache.org/2.2.3/docs/version-notes-223.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.7EPSS: 1%CPEs: 30EXPL: 5CVE-2011-1772 – Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-1772
13 May 2011 — Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en XWork en Apache Struts v2.x anterior a v2.2.3, y OpenSymphony XWork e... • https://www.exploit-db.com/exploits/35735 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2011-2088
https://notcve.org/view.php?id=CVE-2011-2088
13 May 2011 — XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3. XWork v2.2.1 en Apache Struts v2.2.1, y XWork OpenSymphony en OpenSymphony WebWork, permite a atacantes remotos obtener información sensible acerca de las rutas internas de clases Java a través de vectores implic... • http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 25%CPEs: 26EXPL: 3CVE-2010-1870 – Apache Struts < 2.2.0 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2010-1870
17 Aug 2010 — The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possib... • https://www.exploit-db.com/exploits/17691 •