Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
struts vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2012-0392
The CookieInterceptor component in Apache Struts prior to 2.3.1.1 does not use the parameter-name whitelist, which allows remote malicious users to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Apache Struts
1 EDB exploit
NA
CVE-2012-0394
The DebuggingInterceptor component in Apache Struts prior to 2.3.1.1, when developer mode is used, allows remote malicious users to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
Apache Struts
2 EDB exploits
6.1
CVSSv3
CVE-2016-4003
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE prior to 1.8, as used in Apache Struts 2.x prior to 2.3.28, when using a single byte page encoding, allows remote malicious users to inject arbitrary web script or HTML via multi-byte characters in a url-e...
Apache Struts
6.1
CVSSv3
CVE-2015-5169
Cross-site scripting (XSS) vulnerability in Apache Struts prior to 2.3.20.
Apache Struts
9.8
CVSSv3
CVE-2021-31805
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted ...
Apache Struts
7 Github repositories
NA
CVE-2012-0393
The ParameterInterceptor component in Apache Struts prior to 2.3.1.1 does not prevent access to public constructors, which allows remote malicious users to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Apache Struts
1 EDB exploit
NA
CVE-2013-2134
Apache Struts 2 prior to 2.3.14.3 allows remote malicious users to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Apache Struts
1 EDB exploit
8.8
CVSSv3
CVE-2016-0785
Apache Struts 2.x prior to 2.3.28 allows remote malicious users to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Apache Struts
NA
CVE-2014-0094
The ParametersInterceptor in Apache Struts prior to 2.3.16.2 allows remote malicious users to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Apache Struts
2 EDB exploits
4 Github repositories
6.1
CVSSv3
CVE-2015-2992
Apache Struts prior to 2.3.20 has a cross-site scripting (XSS) vulnerability.
Apache Struts
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21987
buffer overflow
CVE-2024-28890
CVE-2024-27574
CVE-2024-27347
CVE-2024-31450
privilege
SSTI
CVE-2024-31666
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »