Search for packages
| purl | pkg:maven/struts/struts@1.2.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4wwa-j9p2-9be1
Aliases: CVE-2008-2025 GHSA-wcgx-2hvx-5cwr |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters." |
Affected by 0 other vulnerabilities. |
|
VCID-8dws-9ubs-qqcg
Aliases: CVE-2006-1547 GHSA-7qwv-cwgj-c8rj |
Improper Input Validation in Apache Struts ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. |
Affected by 9 other vulnerabilities. |
|
VCID-ffbg-tkyw-ufad
Aliases: CVE-2006-1548 GHSA-p3vw-fvwx-qcv5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message. |
Affected by 9 other vulnerabilities. |
|
VCID-g2gb-x2nh-2bgz
Aliases: CVE-2012-1007 GHSA-9848-v244-962p |
Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to `struts-examples/upload/upload-submit.do`, or the message parameter to (2) `struts-cookbook/processSimple.do` or (3) `struts-cookbook/processDyna.do`. | There are no reported fixed by versions. |
|
VCID-jjre-tuhb-4yat
Aliases: CVE-2023-49735 GHSA-qw4h-3xjj-84cc |
Apache Tiles: Unvalidated input may lead to path traversal and XXE The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | There are no reported fixed by versions. |
|
VCID-nur4-1g8a-57ew
Aliases: CVE-2014-0114 GHSA-p66x-2cv9-qq3v |
Improper Input Validation Apache Commons BeanUtils does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the `ActionForm` object in Struts | There are no reported fixed by versions. |
|
VCID-ppuk-knqn-tfc6
Aliases: CVE-2016-1182 GHSA-5ggr-mpgw-3mgx |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. | There are no reported fixed by versions. |
|
VCID-s3uq-35pj-byhy
Aliases: CVE-2015-0899 GHSA-cvvx-r33m-v7pq |
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | There are no reported fixed by versions. |
|
VCID-v9xj-szyz-3ufy
Aliases: CVE-2006-1546 GHSA-vf8g-mpmw-qv87 |
Apache Struts vulnerable to Improper Input Validation Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check. |
Affected by 9 other vulnerabilities. |
|
VCID-wqjz-93pk-pbg7
Aliases: CVE-2016-1181 GHSA-7jw3-5q4w-89qg |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||