Vulnerabilities > Apache > Struts > 2.1.0
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2013-07-16 | CVE-2013-2135 | Code Injection vulnerability in Apache Struts Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. | 9.3 |
2013-07-16 | CVE-2013-2134 | Code Injection vulnerability in Apache Struts Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. | 9.3 |
2013-07-10 | CVE-2013-2115 | Code Injection vulnerability in Apache Struts Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. | 9.3 |
2013-07-10 | CVE-2013-1966 | Code Injection vulnerability in Apache Struts Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. | 9.3 |
2013-07-10 | CVE-2013-1965 | Code Injection vulnerability in Apache Struts and Struts2-Showcase Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. | 9.3 |
2012-09-05 | CVE-2012-4387 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. | 5.0 |
2012-09-05 | CVE-2012-4386 | Cross-Site Request Forgery (CSRF) vulnerability in Apache Struts The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. | 6.8 |
2012-03-02 | CVE-2012-0838 | Improper Input Validation vulnerability in Apache Struts Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. | 10.0 |
2012-01-08 | CVE-2011-5057 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. | 5.0 |
2012-01-08 | CVE-2012-0393 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. | 6.4 |