Search for packages
| purl | pkg:maven/org.apache.struts/struts2-core@2-alpha0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1exe-1vfk-f7bn
Aliases: CVE-2013-2248 GHSA-rpj9-r897-wc6q |
Allows open redirects Multiple open redirect vulnerabilities in this package allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the `redirect:` or `redirectAction:` prefix. |
Affected by 38 other vulnerabilities. |
|
VCID-1kjb-use6-23eu
Aliases: CVE-2013-2135 GHSA-pw8r-x2qm-3h5m |
Code Injection Apache Struts allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both `${}` and `%{}` sequences, which causes the OGNL code to be evaluated twice. |
Affected by 40 other vulnerabilities. |
|
VCID-4x3k-a11x-7bee
Aliases: CVE-2013-1966 GHSA-737w-mh58-cxjp |
Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags This package allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the `includeParams` attribute in the URL or A tag. |
Affected by 43 other vulnerabilities. |
|
VCID-84ge-vq7u-j3ar
Aliases: CVE-2014-0094 GHSA-vrwc-qjmw-5rjm |
Incomplete fix for ClassLoader manipulation via ParametersInterceptor The `ParametersInterceptor` in this package allows remote attackers to `manipulate` the `ClassLoader` via the class parameter, which is passed to the getClass method. |
Affected by 32 other vulnerabilities. |
|
VCID-89az-256b-mubw
Aliases: CVE-2013-2134 GHSA-gqqm-564f-vvxq |
Code Injection Apache Struts 2 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. |
Affected by 40 other vulnerabilities. |
|
VCID-e78f-s5z5-qkgs
Aliases: CVE-2010-1870 GHSA-x5fc-pgpx-59j5 |
XWork ParameterInterceptors bypass allows remote command execution The OGNL extensive expression evaluation capability in this package as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive allowlist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the `#context`, `#_memberAccess`, `#root`, `#this`, `#_typeResolver`, `#_classResolver`, `#_traceEvaluations`, `#_lastEvaluation`, `#_keepLastEvaluation`, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. |
Affected by 49 other vulnerabilities. |
|
VCID-emya-8et9-n7a9
Aliases: CVE-2011-1772 GHSA-56f8-g68r-j699 |
Multiple XSS flaws in XWork Multiple cross-site scripting (XSS) vulnerabilities in XWork allow remote attackers to inject arbitrary web script or HTML via vectors involving an action name, the action attribute of an s:submit element, or the method attribute of an `s:submit` element. |
Affected by 48 other vulnerabilities. |
|
VCID-kc4z-fnyk-tkdu
Aliases: CVE-2012-0838 GHSA-mwrx-hx6x-3hhv |
OGNL expression unexpected evaluation on conversion error This package evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. |
Affected by 44 other vulnerabilities. |
|
VCID-kcy9-3d45-23b1
Aliases: CVE-2012-4387 GHSA-hrgc-54mv-58gv |
Long parameter name DoS This package allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. |
Affected by 43 other vulnerabilities. |
|
VCID-kmqa-hsqy-muf1
Aliases: CVE-2013-4310 GHSA-q5q8-jghf-3pm3 |
Broken Access Control Vulnerability This package allows remote attackers to bypass access controls via a crafted action: `prefix`. |
Affected by 36 other vulnerabilities. |
|
VCID-tqxu-gna6-j3ff
Aliases: CVE-2011-3923 GHSA-j68f-8h6p-9h5q |
Remote code execution via OGNL injention in HTTP parameter values OGNL provides, among other features, extensive expression evaluation capabilities. The vulnerability allows a malicious user to bypass all the protections (regex pattern, deny method invocation) built into the `ParametersInterceptor`, thus being able to inject a malicious expression in any exposed string variable for further evaluation. |
Affected by 45 other vulnerabilities. |
|
VCID-wsvw-qwt7-qbg1
Aliases: CVE-2013-2115 GHSA-7ghm-rpc7-p7g5 |
Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags This package allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the URL or A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. |
Affected by 43 other vulnerabilities. |
|
VCID-xd9a-gdh3-97ar
Aliases: CVE-2012-4386 GHSA-2rvh-q539-q33v |
CSRF protection bypass The token check mechanism in this package does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. |
Affected by 43 other vulnerabilities. |
|
VCID-z6wr-3psx-dbfm
Aliases: CVE-2013-4316 GHSA-j7h6-xr7g-m2c5 |
This package enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. |
Affected by 37 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||