CVSS: 7.5EPSS: 5%CPEs: 15EXPL: 0CVE-2014-0107 – Xalan-Java: insufficient constraints in secure processing feature
https://notcve.org/view.php?id=CVE-2014-0107
25 Mar 2014 — The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. El TransformerFactory en Apache Xalan-Java ante... • http://rhn.redhat.com/errata/RHSA-2014-0348.html • CWE-264: Permissions, Privileges, and Access Controls CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 10.0EPSS: 7%CPEs: 56EXPL: 0CVE-2013-4316
https://notcve.org/view.php?id=CVE-2013-4316
30 Sep 2013 — Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Apache Struts 2.0.0 hasta la versión 2.3.15.1 habilita por defecto Dynamic Method Invocation, lo cual tiene un impacto y vectores de ataque desconocidos. • http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html • CWE-16: Configuration CWE-284: Improper Access Control •