Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Struts
(Apache)| Repositories | https://github.com/kawasima/struts1-forever |
| #Vulnerabilities | 87 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-08-29 | CVE-2015-5209 | Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. | Struts | 7.5 | ||
| 2017-09-25 | CVE-2015-5169 | Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. | Struts | 6.1 | ||
| 2015-07-16 | CVE-2015-1831 | The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. | Struts | N/A | ||
| 2016-07-04 | CVE-2015-0899 | The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | Struts | 7.5 | ||
| 2014-12-10 | CVE-2014-7809 | Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | Struts | N/A | ||
| 2013-11-02 | CVE-2013-6348 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. | Struts | N/A | ||
| 2013-09-30 | CVE-2013-4316 | Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. | Struts, Flexcube_private_banking, Mysql_enterprise_monitor, Webcenter_sites | N/A | ||
| 2013-09-30 | CVE-2013-4310 | Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. | Struts | N/A | ||
| 2013-07-20 | CVE-2013-2248 | Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. | Struts | N/A | ||
| 2013-07-16 | CVE-2013-2135 | Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. | Struts | N/A |