CVSS: 9.3EPSS: 97%CPEs: 44EXPL: 3CVE-2013-2251 – Apache Struts Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2013-2251
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. Apache Struts v2.0.0 hasta v2.3.15 permite a atacantes remotos ejecutar expresiones OGNL arbitrarias mediante un parámetro con una (1)acción:, (2) redirect:, o (3) redirectAction: Struts2 suffers from an OGNL injection vulnerability that allows for redirection. Versions 2.0.0 through 2.3.15 are affected. Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions. • https://www.exploit-db.com/exploits/27135 https://www.exploit-db.com/exploits/44583 https://github.com/nth347/CVE-2013-2251 http://archiva.apache.org/security.html http://cxsecurity.com/issue/WLB-2014010087 http://osvdb.org/98445 http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2013/Oct/96 http://seclists.org/oss-sec/2014/q1/89 http://struts.apache.org/release/2.3.x/docs/s2-016.html http:&#x • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 94%CPEs: 1EXPL: 0CVE-2013-2135
https://notcve.org/view.php?id=CVE-2013-2135
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. Apache Struts 2 anterior a v2.3.14.3 permite a atacantes remotos ejecutar código OGNL arbitrario mediante una solicitud con un valor especialmente diseñado que contiene las secuencias "${}" y "%{}", lo que produce que el código OGNL sea evaluado dos veces. • http://struts.apache.org/development/2.x/docs/s2-015.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.securityfocus.com/bid/64758 https://cwiki.apache.org/confluence/display/WW/S2-015 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 96%CPEs: 1EXPL: 1CVE-2013-2134 – Apache Struts - OGNL Expression Injection
https://notcve.org/view.php?id=CVE-2013-2134
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. Apache Struts 2 anterior a 2.3.14.3 permite a atacantes remotos la ejecución arbitraria de código OGNL a través de peticiones con un nombre de acción manipulado que no es manejado correctamente durante la comparación de comodines. Vulnerabilidad distinta de CVE-2013-2135. • https://www.exploit-db.com/exploits/38549 http://security.gentoo.org/glsa/glsa-201409-04.xml http://struts.apache.org/development/2.x/docs/s2-015.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.securityfocus.com/bid/60346 http://www.securityfocus.com/bid/64758 https://cwiki.apache.org/confluence/display/WW/S2-015 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 1CVE-2013-1965
https://notcve.org/view.php?id=CVE-2013-1965
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. Apache Struts Showcase App versiones 2.0.0 hasta 2.3.13, como es usado en Struts versiones 2 anteriores a 2.3.14.3, permite a atacantes remotos ejecutar código OGNL arbitrario por medio de un nombre de parámetro diseñado que no es manejado apropiadamente cuando se invoca un redireccionamiento. • https://github.com/cinno/CVE-2013-1965 http://struts.apache.org/development/2.x/docs/s2-012.html http://www.securityfocus.com/bid/60082 https://bugzilla.redhat.com/show_bug.cgi?id=967655 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 1%CPEs: 1EXPL: 1CVE-2013-1966 – Apache Struts - includeParams Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-1966
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. Apache Struts versiones 2 anteriores a 2.3.14.2, permite a atacantes remotos ejecutar código OGNL arbitrario por medio de una petición diseñada que no es manejada apropiadamente cuando usa el atributo includeParams en la etiqueta (1) URL o (2) A. • https://www.exploit-db.com/exploits/25980 http://struts.apache.org/development/2.x/docs/s2-013.html http://www.securityfocus.com/bid/60166 https://bugzilla.redhat.com/show_bug.cgi?id=967656 https://cwiki.apache.org/confluence/display/WW/S2-013 • CWE-94: Improper Control of Generation of Code ('Code Injection') •