CVE-2013-2134 – Apache Struts - OGNL Expression Injection
https://notcve.org/view.php?id=CVE-2013-2134
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. Apache Struts 2 anterior a 2.3.14.3 permite a atacantes remotos la ejecución arbitraria de código OGNL a través de peticiones con un nombre de acción manipulado que no es manejado correctamente durante la comparación de comodines. Vulnerabilidad distinta de CVE-2013-2135. • https://www.exploit-db.com/exploits/38549 http://security.gentoo.org/glsa/glsa-201409-04.xml http://struts.apache.org/development/2.x/docs/s2-015.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://www.securityfocus.com/bid/60346 http://www.securityfocus.com/bid/64758 https://cwiki.apache.org/confluence/display/WW/S2-015 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2013-1965
https://notcve.org/view.php?id=CVE-2013-1965
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. Apache Struts Showcase App versiones 2.0.0 hasta 2.3.13, como es usado en Struts versiones 2 anteriores a 2.3.14.3, permite a atacantes remotos ejecutar código OGNL arbitrario por medio de un nombre de parámetro diseñado que no es manejado apropiadamente cuando se invoca un redireccionamiento. • https://github.com/cinno/CVE-2013-1965 http://struts.apache.org/development/2.x/docs/s2-012.html http://www.securityfocus.com/bid/60082 https://bugzilla.redhat.com/show_bug.cgi?id=967655 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2013-1966 – Apache Struts - includeParams Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-1966
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. Apache Struts versiones 2 anteriores a 2.3.14.2, permite a atacantes remotos ejecutar código OGNL arbitrario por medio de una petición diseñada que no es manejada apropiadamente cuando usa el atributo includeParams en la etiqueta (1) URL o (2) A. • https://www.exploit-db.com/exploits/25980 http://struts.apache.org/development/2.x/docs/s2-013.html http://www.securityfocus.com/bid/60166 https://bugzilla.redhat.com/show_bug.cgi?id=967656 https://cwiki.apache.org/confluence/display/WW/S2-013 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2013-2115 – Apache Struts - includeParams Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-2115
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. Apache Struts 2 anterior a 2.3.14.2, permite a atacantes remotos ejecutar código OGNL a través de una petición manipulada que no es manejada adecuadamente cuando se usa el atributo includeParams en la (1)URL o la (2) etiqueta A. NOTA: esta cuestión se debe a una corrección incorrecta del CVE-2013-1966. • https://www.exploit-db.com/exploits/25980 http://struts.apache.org/development/2.x/docs/s2-014.html http://www.securityfocus.com/bid/60167 https://bugzilla.redhat.com/show_bug.cgi?id=967656 https://cwiki.apache.org/confluence/display/WW/S2-014 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2011-3923 – Apache Struts - 'ParametersInterceptor' Remote Code Execution
https://notcve.org/view.php?id=CVE-2011-3923
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. Apache Struts versiones anteriores a 2.3.1.2, permite a atacantes remotos omitir las protecciones de seguridad en la clase ParameterInterceptor y ejecutar comandos arbitrarios. • https://www.exploit-db.com/exploits/24874 http://seclists.org/fulldisclosure/2014/Jul/38 http://www.exploit-db.com/exploits/24874 http://www.securityfocus.com/bid/51628 http://www.securitytracker.com/id?1026575 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3923 https://exchange.xforce.ibmcloud.com/vulnerabilities/72585 https://security-tracker.debian.org/tracker/CVE-2011-3923 • CWE-732: Incorrect Permission Assignment for Critical Resource •