Search for packages
| purl | pkg:maven/org.apache.struts/struts2-core@2-alpha0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6241-shkt-s7ew
Aliases: CVE-2013-2134 GHSA-gqqm-564f-vvxq |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. |
Affected by 40 other vulnerabilities. |
|
VCID-6t1x-s2k2-b7bq
Aliases: CVE-2013-4310 GHSA-q5q8-jghf-3pm3 |
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. |
Affected by 36 other vulnerabilities. |
|
VCID-759g-hsfg-97f8
Aliases: CVE-2013-2248 GHSA-rpj9-r897-wc6q |
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. |
Affected by 38 other vulnerabilities. |
|
VCID-b59n-uxft-4qgz
Aliases: CVE-2013-4316 GHSA-j7h6-xr7g-m2c5 |
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. |
Affected by 37 other vulnerabilities. |
|
VCID-evh9-mua1-2bem
Aliases: CVE-2010-1870 GHSA-x5fc-pgpx-59j5 |
XWork ParameterInterceptors bypass allows remote command execution The OGNL extensive expression evaluation capability in this package as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive allowlist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the `#context`, `#_memberAccess`, `#root`, `#this`, `#_typeResolver`, `#_classResolver`, `#_traceEvaluations`, `#_lastEvaluation`, `#_keepLastEvaluation`, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. |
Affected by 49 other vulnerabilities. |
|
VCID-fv6w-cdtc-kkhx
Aliases: CVE-2011-3923 GHSA-j68f-8h6p-9h5q |
Struts ParameterInterceptor vulnerability allows remote command execution Regular expression in ParametersInterceptor matches `top['foo'](0)` as a valid expression, which OGNL treats as `(top['foo'])(0)` and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression and since OGNL statement is in HTTP parameter value attacker can use blacklisted characters (e.g. #) to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections. |
Affected by 45 other vulnerabilities. |
|
VCID-hkjh-35ye-1ugj
Aliases: CVE-2013-2115 GHSA-7ghm-rpc7-p7g5 |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. |
Affected by 43 other vulnerabilities. |
|
VCID-k6mz-k1yb-4uej
Aliases: CVE-2012-4386 GHSA-2rvh-q539-q33v |
CSRF protection bypass The token check mechanism in this package does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. |
Affected by 43 other vulnerabilities. |
|
VCID-kdsa-599r-eud7
Aliases: CVE-2014-0094 GHSA-vrwc-qjmw-5rjm |
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. |
Affected by 32 other vulnerabilities. |
|
VCID-q96z-v3bs-k3dg
Aliases: CVE-2012-4387 GHSA-hrgc-54mv-58gv |
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. |
Affected by 43 other vulnerabilities. |
|
VCID-vkb9-11h4-dugp
Aliases: CVE-2013-1966 GHSA-737w-mh58-cxjp |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. |
Affected by 43 other vulnerabilities. |
|
VCID-vnkw-9fa2-zqcm
Aliases: CVE-2013-2135 GHSA-pw8r-x2qm-3h5m |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. |
Affected by 40 other vulnerabilities. |
|
VCID-x65e-31g3-77bp
Aliases: CVE-2011-1772 GHSA-56f8-g68r-j699 |
Multiple XSS flaws in XWork Multiple cross-site scripting (XSS) vulnerabilities in XWork allow remote attackers to inject arbitrary web script or HTML via vectors involving an action name, the action attribute of an s:submit element, or the method attribute of an `s:submit` element. |
Affected by 48 other vulnerabilities. |
|
VCID-z1gf-169n-m3af
Aliases: CVE-2012-0838 GHSA-mwrx-hx6x-3hhv |
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. |
Affected by 44 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||