Search for packages
| purl | pkg:maven/org.apache.struts/struts2-core@2.0.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2rjv-1thm-dugt
Aliases: CVE-2016-3082 GHSA-pvm9-288c-v5wq |
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. |
Affected by 25 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-3yq7-n972-j7dh
Aliases: CVE-2019-0230 GHSA-wp4h-pvgw-5727 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
Affected by 8 other vulnerabilities. |
|
VCID-4agy-6nsx-7ufh
Aliases: CVE-2016-3093 GHSA-383p-xqxx-rrmp |
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. |
Affected by 24 other vulnerabilities. |
|
VCID-6241-shkt-s7ew
Aliases: CVE-2013-2134 GHSA-gqqm-564f-vvxq |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. |
Affected by 40 other vulnerabilities. |
|
VCID-6hrc-fm64-ckhf
Aliases: CVE-2016-2162 GHSA-2j4q-9fff-236j |
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. |
Affected by 25 other vulnerabilities. |
|
VCID-79j9-v8gz-rfax
Aliases: CVE-2020-17530 GHSA-jc35-q369-45pv |
Remote code execution in Apache Struts Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
Affected by 7 other vulnerabilities. |
|
VCID-8bsh-bshc-vkgq
Aliases: CVE-2016-4461 GHSA-864w-r5qj-h6fj |
Apache Struts forced double OGNL evaluation Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. |
Affected by 18 other vulnerabilities. |
|
VCID-95ts-vpk6-uubg
Aliases: CVE-2025-66675 GHSA-rg58-xhh7-mqjw |
Apache Struts has a Denial of Service vulnerability Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-at5c-f8p8-67fh
Aliases: CVE-2016-4003 GHSA-m3x6-9v6h-4g28 |
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. |
Affected by 24 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-b59n-uxft-4qgz
Aliases: CVE-2013-4316 GHSA-j7h6-xr7g-m2c5 |
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. |
Affected by 37 other vulnerabilities. |
|
VCID-d8as-n8hc-j3fj
Aliases: CVE-2008-6505 GHSA-wv7g-xhvw-8hcp |
Apache Struts directory traversal vulnerability Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a `..%252f` (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x. |
Affected by 49 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-fv6w-cdtc-kkhx
Aliases: CVE-2011-3923 GHSA-j68f-8h6p-9h5q |
Struts ParameterInterceptor vulnerability allows remote command execution Regular expression in ParametersInterceptor matches `top['foo'](0)` as a valid expression, which OGNL treats as `(top['foo'])(0)` and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression and since OGNL statement is in HTTP parameter value attacker can use blacklisted characters (e.g. #) to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections. |
Affected by 45 other vulnerabilities. |
|
VCID-gfxq-vtry-bqgg
Aliases: CVE-2023-50164 GHSA-2j39-qcjm-428w |
Files or Directories Accessible to External Parties An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue. |
Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-hgj2-vqzn-gyeb
Aliases: CVE-2021-31805 GHSA-v8j6-6c2r-r27c |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. |
Affected by 6 other vulnerabilities. |
|
VCID-hkjh-35ye-1ugj
Aliases: CVE-2013-2115 GHSA-7ghm-rpc7-p7g5 |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. |
Affected by 43 other vulnerabilities. |
|
VCID-j5su-cnqd-6yad
Aliases: CVE-2016-0785 GHSA-876p-4wgc-75rx |
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. |
Affected by 25 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-j8jv-hzsy-nyec
Aliases: CVE-2025-64775 GHSA-xx7v-hqxh-cjr9 |
Apache Struts is Vulnerable to DoS via File Leak Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k6mz-k1yb-4uej
Aliases: CVE-2012-4386 GHSA-2rvh-q539-q33v |
CSRF protection bypass The token check mechanism in this package does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. |
Affected by 43 other vulnerabilities. |
|
VCID-kdsa-599r-eud7
Aliases: CVE-2014-0094 GHSA-vrwc-qjmw-5rjm |
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. |
Affected by 32 other vulnerabilities. |
|
VCID-p9xh-frm5-8ucp
Aliases: CVE-2015-1831 GHSA-q2cg-xf9p-h457 |
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. |
Affected by 30 other vulnerabilities. |
|
VCID-skbn-jggt-uffg
Aliases: CVE-2008-6682 GHSA-jgcr-9c2q-rvp8 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag. |
Affected by 50 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-tgd1-s1yg-9fdt
Aliases: CVE-2025-68493 GHSA-qcfc-hmrc-59x7 |
Apache Struts 2 is Missing XML Validation Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. |
Affected by 12 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-vkb9-11h4-dugp
Aliases: CVE-2013-1966 GHSA-737w-mh58-cxjp |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. |
Affected by 43 other vulnerabilities. |
|
VCID-vnkw-9fa2-zqcm
Aliases: CVE-2013-2135 GHSA-pw8r-x2qm-3h5m |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. |
Affected by 40 other vulnerabilities. |
|
VCID-ygbu-vb2t-jqhx
Aliases: CVE-2016-4436 GHSA-xm92-v2mq-842q |
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. |
Affected by 18 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-zxww-8kb3-tufv
Aliases: CVE-2019-0233 GHSA-ccp5-gg58-pxfm |
Improper Preservation of Permissions in Apache Struts An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||