Search for packages
| purl | pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6241-shkt-s7ew
Aliases: CVE-2013-2134 GHSA-gqqm-564f-vvxq |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. |
Affected by 4 other vulnerabilities. |
|
VCID-hkjh-35ye-1ugj
Aliases: CVE-2013-2115 GHSA-7ghm-rpc7-p7g5 |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. |
Affected by 6 other vulnerabilities. |
|
VCID-kdsa-599r-eud7
Aliases: CVE-2014-0094 GHSA-vrwc-qjmw-5rjm |
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. |
Affected by 3 other vulnerabilities. |
|
VCID-p9xh-frm5-8ucp
Aliases: CVE-2015-1831 GHSA-q2cg-xf9p-h457 |
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. |
Affected by 3 other vulnerabilities. |
|
VCID-q96z-v3bs-k3dg
Aliases: CVE-2012-4387 GHSA-hrgc-54mv-58gv |
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. |
Affected by 8 other vulnerabilities. |
|
VCID-tgd1-s1yg-9fdt
Aliases: CVE-2025-68493 GHSA-qcfc-hmrc-59x7 |
Apache Struts 2 is Missing XML Validation Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. | There are no reported fixed by versions. |
|
VCID-ufcq-57q9-53c7
Aliases: CVE-2012-0394 GHSA-hmvj-gc9q-mg9p |
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-vkb9-11h4-dugp
Aliases: CVE-2013-1966 GHSA-737w-mh58-cxjp |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. |
Affected by 6 other vulnerabilities. |
|
VCID-vnkw-9fa2-zqcm
Aliases: CVE-2013-2135 GHSA-pw8r-x2qm-3h5m |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-gv5f-auvz-5fda | The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. |
CVE-2012-0393
GHSA-hxqq-w4mr-mc62 |
| VCID-nmgp-r7hb-5ke1 | The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. |
CVE-2012-0391
GHSA-4wrr-9h5r-m92w |
| VCID-r28t-sdc5-kbga | The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. |
CVE-2012-0392
GHSA-2ppp-xj34-vvf7 |
| VCID-z1gf-169n-m3af | Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. |
CVE-2012-0838
GHSA-mwrx-hx6x-3hhv |