CVSS: 6.5EPSS: 89%CPEs: 1EXPL: 4CVE-2012-0393 – Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0393
08 Jan 2012 — The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. El componente ParameterInterceptor en Apache Struts antes de la versión v2.3.1.1 no impide el acceso a los constructores públicos, lo que permite a atacantes remotos crear o sobreescribir archivos de su elección a través de un parámetro debidamente modificado... • https://www.exploit-db.com/exploits/18329 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 93%CPEs: 1EXPL: 5CVE-2012-0394 – Apache Struts - Developer Mode OGNL Execution
https://notcve.org/view.php?id=CVE-2012-0394
08 Jan 2012 — The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. ** CUESTIONADA ** El componente DebuggingInterceptor en Apache Struts antes de la versión v2.3.1.1, cuando se usa el modo desarrollador (developer), permite ejecutar comandos de su elección a atacantes remotos a través de vectores no especificados. N... • https://packetstorm.news/files/id/125020 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 1%CPEs: 28EXPL: 1CVE-2011-2087
https://notcve.org/view.php?id=CVE-2011-2087
13 May 2011 — Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of value attributes in (1) FileHandler.java, (2) HiddenHandler.java, (3) PasswordHandler.java, (4) RadioHandler.java, (5) ResetHandler.java, (6) SelectHandler.java, (7) SubmitHandler.java, and (8) TextFieldHandler... • http://struts.apache.org/2.2.3/docs/version-notes-223.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 2%CPEs: 4EXPL: 0CVE-2011-2088
https://notcve.org/view.php?id=CVE-2011-2088
13 May 2011 — XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3. XWork v2.2.1 en Apache Struts v2.2.1, y XWork OpenSymphony en OpenSymphony WebWork, permite a atacantes remotos obtener información sensible acerca de las rutas internas de clases Java a través de vectores implic... • http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.7EPSS: 75%CPEs: 30EXPL: 5CVE-2011-1772 – Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-1772
13 May 2011 — Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en XWork en Apache Struts v2.x anterior a v2.2.3, y OpenSymphony XWork e... • https://www.exploit-db.com/exploits/35735 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 92%CPEs: 26EXPL: 3CVE-2010-1870 – Apache Struts < 2.2.0 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2010-1870
17 Aug 2010 — The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possib... • https://www.exploit-db.com/exploits/17691 •
CVSS: 6.1EPSS: 3%CPEs: 3EXPL: 0CVE-2007-6726
https://notcve.org/view.php?id=CVE-2007-6726
09 Apr 2009 — Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) Dojo v0.4.1 y v0.4.2, como el utilizado en Apache Struts y otros productos, permite a atacantes remotos inyectar web script o HTML de su elección a través de ve... • http://www.dojotoolkit.org/0-4-3-and-updated-0-4-1-0-4-2-builds • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 9EXPL: 0CVE-2008-2025
https://notcve.org/view.php?id=CVE-2008-2025
09 Apr 2009 — Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters." Vulnerabilidades de secuencias de comandos en sitios cruzados (XSS)en Apache Struts anteriores a v1.2.9-162.31.1 en SUSE Linux E... • http://download.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xml • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 2%CPEs: 3EXPL: 0CVE-2009-1275
https://notcve.org/view.php?id=CVE-2009-1275
09 Apr 2009 — Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags. Apache Tiles v2.1 anteriores a v2.1.2, como las usadas en Apache Struts y otros productos, evalúan las expresiones del lenguaje de expresiones (EL)... • http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913 •
CVSS: 6.1EPSS: 3%CPEs: 5EXPL: 0CVE-2008-6682
https://notcve.org/view.php?id=CVE-2008-6682
09 Apr 2009 — Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Apache Struts v2.0.x anteriores a v2.0.11.1 y v2.1.x anteriores a v2.1.1 permi... • http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •