Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.struts/struts2-core@2.0.0
Typemaven
Namespaceorg.apache.struts
Namestruts2-core
Version2.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.0.11.1
Latest_non_vulnerable_version7.1.1
Affected_by_vulnerabilities
0
url VCID-3bjt-18pc-vfe8
vulnerability_id VCID-3bjt-18pc-vfe8
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.
references
0
reference_url https://github.com/apache/struts/commit/09147ffad2b3046ed21af0f524c5088e2ac551e6
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/09147ffad2b3046ed21af0f524c5088e2ac551e6
1
reference_url https://github.com/apache/struts/commit/bd3f2f59c9b09f70aed3ebab6bb69b464ee2d6cb
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/bd3f2f59c9b09f70aed3ebab6bb69b464ee2d6cb
2
reference_url https://github.com/apache/struts/commit/dae026a0f0511f83852053bae9d5a622e7f80486
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/dae026a0f0511f83852053bae9d5a622e7f80486
3
reference_url https://issues.apache.org/struts/browse/WW-2414
reference_id
reference_type
scores
url https://issues.apache.org/struts/browse/WW-2414
4
reference_url https://issues.apache.org/struts/browse/WW-2427
reference_id
reference_type
scores
url https://issues.apache.org/struts/browse/WW-2427
5
reference_url https://web.archive.org/web/20080610075918/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.html
reference_id
reference_type
scores
url https://web.archive.org/web/20080610075918/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449i20.html
6
reference_url https://web.archive.org/web/20080611112834/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html
reference_id
reference_type
scores
url https://web.archive.org/web/20080611112834/http://www.nabble.com/Feedback%3A-WW-2414%2C-XSS-attack-is-possible-if-using-%3Cs%3Aurl-...%3E-and-%3Cs%3Aa-...%3E-td14771449.html
7
reference_url https://web.archive.org/web/20200229155553/http://www.securityfocus.com/bid/34686
reference_id
reference_type
scores
url https://web.archive.org/web/20200229155553/http://www.securityfocus.com/bid/34686
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2008-6682
reference_id CVE-2008-6682
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2008-6682
9
reference_url https://github.com/advisories/GHSA-jgcr-9c2q-rvp8
reference_id GHSA-jgcr-9c2q-rvp8
reference_type
scores
url https://github.com/advisories/GHSA-jgcr-9c2q-rvp8
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.0.11.1
purl pkg:maven/org.apache.struts/struts2-core@2.0.11.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.0.11.1
1
url pkg:maven/org.apache.struts/struts2-core@2.1.1
purl pkg:maven/org.apache.struts/struts2-core@2.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dj42-wym9-nbhv
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.1.1
aliases CVE-2008-6682, GHSA-jgcr-9c2q-rvp8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3bjt-18pc-vfe8
1
url VCID-4bzw-ges2-d7ek
vulnerability_id VCID-4bzw-ges2-d7ek
summary 
Apache Struts forced double OGNL evaluation
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
references
0
reference_url https://github.com/apache/struts
reference_id
reference_type
scores
url https://github.com/apache/struts
1
reference_url https://security.netapp.com/advisory/ntap-20180629-0004
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20180629-0004
2
reference_url https://struts.apache.org/docs/s2-036.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-036.html
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-4461
reference_id CVE-2016-4461
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-4461
4
reference_url https://github.com/advisories/GHSA-864w-r5qj-h6fj
reference_id GHSA-864w-r5qj-h6fj
reference_type
scores
url https://github.com/advisories/GHSA-864w-r5qj-h6fj
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.29
purl pkg:maven/org.apache.struts/struts2-core@2.3.29
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dvxu-9sh6-qbef
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.29
aliases CVE-2016-4461, GHSA-864w-r5qj-h6fj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4bzw-ges2-d7ek
2
url VCID-7hxh-btrk-skhg
vulnerability_id VCID-7hxh-btrk-skhg
summary 
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
references
0
reference_url http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
reference_id
reference_type
scores
url http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
1
reference_url http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
reference_id
reference_type
scores
url http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
2
reference_url https://cwiki.apache.org/confluence/display/ww/s2-059
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/ww/s2-059
3
reference_url https://launchpad.support.sap.com/#/notes/2982840
reference_id
reference_type
scores
url https://launchpad.support.sap.com/#/notes/2982840
4
reference_url https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
5
reference_url https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
6
reference_url https://www.oracle.com/security-alerts/cpuApr2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuApr2021.html
7
reference_url https://www.oracle.com/security-alerts/cpujan2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujan2021.html
8
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuoct2021.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-0230
reference_id CVE-2019-0230
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2019-0230
10
reference_url https://github.com/advisories/GHSA-wp4h-pvgw-5727
reference_id GHSA-wp4h-pvgw-5727
reference_type
scores
url https://github.com/advisories/GHSA-wp4h-pvgw-5727
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.5.22
purl pkg:maven/org.apache.struts/struts2-core@2.5.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.22
aliases CVE-2019-0230, GHSA-wp4h-pvgw-5727
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7hxh-btrk-skhg
3
url VCID-8cmt-z8g9-duf2
vulnerability_id VCID-8cmt-z8g9-duf2
summary 
Apache Struts 2 is Missing XML Validation
Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.
references
0
reference_url https://cwiki.apache.org/confluence/display/WW/S2-069
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/WW/S2-069
1
reference_url https://github.com/apache/struts
reference_id
reference_type
scores
url https://github.com/apache/struts
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68493
reference_id CVE-2025-68493
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-68493
3
reference_url https://github.com/advisories/GHSA-qcfc-hmrc-59x7
reference_id GHSA-qcfc-hmrc-59x7
reference_type
scores
url https://github.com/advisories/GHSA-qcfc-hmrc-59x7
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@6.1.1
purl pkg:maven/org.apache.struts/struts2-core@6.1.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@6.1.1
aliases CVE-2025-68493, GHSA-qcfc-hmrc-59x7
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8cmt-z8g9-duf2
4
url VCID-9mn7-d2mm-uqay
vulnerability_id VCID-9mn7-d2mm-uqay
summary 
Cross-site Scripting
Cross-site scripting (XSS) vulnerability in the `URLDecoder` function in JRE, as used in Apache Struts, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in an url-encoded parameter.
references
0
reference_url https://issues.apache.org/jira/browse/WW-4507
reference_id
reference_type
scores
url https://issues.apache.org/jira/browse/WW-4507
1
reference_url http://struts.apache.org/docs/s2-028.html
reference_id
reference_type
scores
url http://struts.apache.org/docs/s2-028.html
2
reference_url http://www.securityfocus.com/bid/86311
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/86311
3
reference_url http://www.securitytracker.com/id/1035268
reference_id
reference_type
scores
url http://www.securitytracker.com/id/1035268
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-4003
reference_id CVE-2016-4003
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-4003
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.24.3
purl pkg:maven/org.apache.struts/struts2-core@2.3.24.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dvxu-9sh6-qbef
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
3
vulnerability VCID-qdsq-8td3-5qa1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3
aliases CVE-2016-4003
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9mn7-d2mm-uqay
5
url VCID-dbzr-zyeu-73g8
vulnerability_id VCID-dbzr-zyeu-73g8
summary 
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
references
0
reference_url https://cwiki.apache.org/confluence/display/WW/S2-062
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/WW/S2-062
1
reference_url https://security.netapp.com/advisory/ntap-20220420-0001/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20220420-0001/
2
reference_url http://www.openwall.com/lists/oss-security/2022/04/12/6
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2022/04/12/6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-31805
reference_id CVE-2021-31805
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-31805
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.5.30
purl pkg:maven/org.apache.struts/struts2-core@2.5.30
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.30
aliases CVE-2021-31805
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dbzr-zyeu-73g8
6
url VCID-gvwn-8r4r-47gm
vulnerability_id VCID-gvwn-8r4r-47gm
summary 
Apache Struts has a Denial of Service vulnerability
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.
references
0
reference_url https://cve.org/CVERecord?id=CVE-2025-64775
reference_id
reference_type
scores
url https://cve.org/CVERecord?id=CVE-2025-64775
1
reference_url https://cwiki.apache.org/confluence/display/WW/S2-068
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/WW/S2-068
2
reference_url https://github.com/apache/struts
reference_id
reference_type
scores
url https://github.com/apache/struts
3
reference_url https://github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66675
reference_id CVE-2025-66675
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-66675
5
reference_url https://github.com/advisories/GHSA-rg58-xhh7-mqjw
reference_id GHSA-rg58-xhh7-mqjw
reference_type
scores
url https://github.com/advisories/GHSA-rg58-xhh7-mqjw
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@6.8.0
purl pkg:maven/org.apache.struts/struts2-core@6.8.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@6.8.0
1
url pkg:maven/org.apache.struts/struts2-core@7.1.1
purl pkg:maven/org.apache.struts/struts2-core@7.1.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@7.1.1
aliases CVE-2025-66675, GHSA-rg58-xhh7-mqjw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gvwn-8r4r-47gm
7
url VCID-mvdz-exud-3ybz
vulnerability_id VCID-mvdz-exud-3ybz
summary 
Files or Directories Accessible to External Parties
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
references
0
reference_url https://cwiki.apache.org/confluence/display/WW/S2-066
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/WW/S2-066
1
reference_url https://github.com/apache/struts
reference_id
reference_type
scores
url https://github.com/apache/struts
2
reference_url https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163
3
reference_url https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6
4
reference_url https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
reference_id
reference_type
scores
url https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
5
reference_url https://security.netapp.com/advisory/ntap-20231214-0010
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20231214-0010
6
reference_url https://www.openwall.com/lists/oss-security/2023/12/07/1
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/12/07/1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-50164
reference_id CVE-2023-50164
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-50164
8
reference_url https://github.com/advisories/GHSA-2j39-qcjm-428w
reference_id GHSA-2j39-qcjm-428w
reference_type
scores
url https://github.com/advisories/GHSA-2j39-qcjm-428w
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.5.33
purl pkg:maven/org.apache.struts/struts2-core@2.5.33
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8cmt-z8g9-duf2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.33
1
url pkg:maven/org.apache.struts/struts2-core@6.3.0.2
purl pkg:maven/org.apache.struts/struts2-core@6.3.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@6.3.0.2
aliases CVE-2023-50164, GHSA-2j39-qcjm-428w
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mvdz-exud-3ybz
8
url VCID-nztp-y8p8-cqc6
vulnerability_id VCID-nztp-y8p8-cqc6
summary 
Remote code execution in Apache Struts
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
references
0
reference_url https://cwiki.apache.org/confluence/display/WW/S2-061
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/WW/S2-061
1
reference_url https://github.com/apache/struts
reference_id
reference_type
scores
url https://github.com/apache/struts
2
reference_url https://security.netapp.com/advisory/ntap-20210115-0005
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210115-0005
3
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530
reference_id
reference_type
scores
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530
4
reference_url https://www.oracle.com/security-alerts/cpuApr2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuApr2021.html
5
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuapr2022.html
6
reference_url https://www.oracle.com/security-alerts/cpujan2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujan2021.html
7
reference_url https://www.oracle.com/security-alerts/cpujan2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujan2022.html
8
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
url https://www.oracle.com//security-alerts/cpujul2021.html
9
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuoct2021.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-17530
reference_id CVE-2020-17530
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-17530
11
reference_url https://github.com/advisories/GHSA-jc35-q369-45pv
reference_id GHSA-jc35-q369-45pv
reference_type
scores
url https://github.com/advisories/GHSA-jc35-q369-45pv
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.5.26
purl pkg:maven/org.apache.struts/struts2-core@2.5.26
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.26
aliases CVE-2020-17530, GHSA-jc35-q369-45pv
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nztp-y8p8-cqc6
9
url VCID-q2ad-khtm-nqdr
vulnerability_id VCID-q2ad-khtm-nqdr
summary 
Improper Input Validation
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
references
0
reference_url https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
1
reference_url http://struts.apache.org/docs/s2-034.html
reference_id
reference_type
scores
url http://struts.apache.org/docs/s2-034.html
2
reference_url http://www-01.ibm.com/support/docview.wss?uid=swg21987854
reference_id
reference_type
scores
url http://www-01.ibm.com/support/docview.wss?uid=swg21987854
3
reference_url http://www.securityfocus.com/bid/90961
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/90961
4
reference_url http://www.securitytracker.com/id/1036018
reference_id
reference_type
scores
url http://www.securitytracker.com/id/1036018
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-3093
reference_id CVE-2016-3093
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-3093
6
reference_url https://github.com/advisories/GHSA-383p-xqxx-rrmp
reference_id GHSA-383p-xqxx-rrmp
reference_type
scores
url https://github.com/advisories/GHSA-383p-xqxx-rrmp
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.24.3
purl pkg:maven/org.apache.struts/struts2-core@2.3.24.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dvxu-9sh6-qbef
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
3
vulnerability VCID-qdsq-8td3-5qa1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3
aliases CVE-2016-3093, GHSA-383p-xqxx-rrmp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q2ad-khtm-nqdr
10
url VCID-z1jy-4da2-tyhk
vulnerability_id VCID-z1jy-4da2-tyhk
summary 
Improper Input Validation
`XSLTResult` in Apache Struts allows remote attackers to execute arbitrary code via the stylesheet location parameter.
references
0
reference_url http://struts.apache.org/docs/s2-031.html
reference_id
reference_type
scores
url http://struts.apache.org/docs/s2-031.html
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-3082
reference_id CVE-2016-3082
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-3082
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.20.3
purl pkg:maven/org.apache.struts/struts2-core@2.3.20.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mmth-7rgf-aqfa
1
vulnerability VCID-qdsq-8td3-5qa1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20.3
1
url pkg:maven/org.apache.struts/struts2-core@2.3.24.3
purl pkg:maven/org.apache.struts/struts2-core@2.3.24.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dvxu-9sh6-qbef
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
3
vulnerability VCID-qdsq-8td3-5qa1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3
2
url pkg:maven/org.apache.struts/struts2-core@2.3.28.1
purl pkg:maven/org.apache.struts/struts2-core@2.3.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dvxu-9sh6-qbef
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
3
vulnerability VCID-qdsq-8td3-5qa1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28.1
aliases CVE-2016-3082
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z1jy-4da2-tyhk
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.0.0