Vulnerabilities > Apache > Struts > 2.2.3
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-03-02 | CVE-2012-0838 | Improper Input Validation vulnerability in Apache Struts Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. | 10.0 |
| 2012-02-07 | CVE-2012-1006 | Cross-Site Scripting vulnerability in Apache Struts 2.0.14/2.2.3 Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders. | 4.3 |
| 2012-01-08 | CVE-2011-5057 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. | 5.0 |
| 2012-01-08 | CVE-2012-0393 | Permissions, Privileges, and Access Controls vulnerability in Apache Struts The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. | 6.4 |
| 2012-01-08 | CVE-2012-0392 | Unspecified vulnerability in Apache Struts The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. network apache | 6.8 |
| 2012-01-08 | CVE-2012-0391 | Improper Input Validation vulnerability in Apache Struts The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. | 9.3 |